FileVault 2

Template

You can use FileVault 2 to perform full XTS-AES 128 encryption on the contents of a volume. Removal of the FileVault payload does not disable FileVault.

A personal recovery user will normally be created unless the UseRecoveryKey key value is false.

An institutional recovery key will be created only if either there is certificate data available in the Certificate key value, a specific certificate payload is referenced, or the UseKeychain key value is set to true and a valid FileVaultMaster.keychain file was created.

In all cases, the certificate information must be set up properly for FileVault or it will be ignored and no institutional recovery key will be set up.

Summary

PayloadType:com.apple.MCX.FileVault2
Supervised Only:
 N/A
macOS:10.9
macOS Deprecated:
 10.12.6
iOS:N/A
iOS Deprecated:N/A
Highlander:N/A

Keys

Enable

Enable FileVault 2

Set to ‘On’ to enable FileVault. Set to ‘Off’ to disable FileVault. This value is required.

Type Default Required Regex iOS macOS Supervised
boolean N/A always N/A N/A N/A N/A

Defer

Defer enabling until logout

Set to true to defer enabling FileVault until the designated user logs out. For details, see fdesetup(8). The person enabling FileVault must be either a local user or a mobile account user.

Type Default Required Regex iOS macOS Supervised
boolean N/A N/A N/A N/A N/A N/A

UserEntersMissingInfo

User enters username and password

Set to true for manual profile installs to prompt for missing user name or password fields.

Type Default Required Regex iOS macOS Supervised
boolean N/A N/A N/A N/A N/A N/A

UseRecoveryKey

Create a personal recovery key

Set to true to create a personal recovery key

Type Default Required Regex iOS macOS Supervised
boolean True N/A N/A N/A N/A N/A

ShowRecoveryKey

Show the personal recovery key

Set to false to not display the personal recovery key to the user after FileVault is enabled

Type Default Required Regex iOS macOS Supervised
boolean True N/A N/A N/A N/A N/A

OutputPath

Recovery key path

Path to the location where the recovery key and computer information plist will be stored.

Type Default Required Regex iOS macOS Supervised
string N/A N/A N/A N/A N/A N/A

Certificate

Certificate

DER-encoded certificate data if an institutional recovery key will be added.

Type Default Required Regex iOS macOS Supervised
data N/A N/A N/A N/A N/A N/A

PayloadCertificateUUID

Recovery Key Certificate Payload

UUID of the payload containing the asymmetric recovery key certificate payload.

Type Default Required Regex iOS macOS Supervised
string N/A N/A N/A N/A N/A N/A

Username

Username

User name of the Open Directory user that will be added to FileVault.

Type Default Required Regex iOS macOS Supervised
string N/A N/A N/A N/A N/A N/A

Password

Password

User password of the Open Directory user that will be added to FileVault. Use the UserEntersMissingInfo key if you want to prompt for this information.

Type Default Required Regex iOS macOS Supervised
string N/A N/A N/A N/A N/A N/A

UseKeychain

Add institutional recovery key to keychain

If set to true and no certificate information is provided in this payload, the keychain already created at /Library/Keychains/FileVaultMaster.keychain will be used when the institutional recovery key is added.

Type Default Required Regex iOS macOS Supervised
boolean N/A N/A N/A N/A N/A N/A

DeferForceAtUserLoginMaxBypassAttempts

Maximum number of times FileVault can be skipped

When using the Defer option you can optionally set this key to the maximum number of times the user can bypass enabling FileVault before it will require that it be enabled before the user can log in. If set to 0, it will always prompt to enable FileVault until it is enabled, though it will allow you to bypass enabling it. Setting this key to –1 will disable this feature.

Type Default Required Regex iOS macOS Supervised
integer N/A N/A N/A N/A 10.10.0 N/A