By default, FileVault recovery keys are sent to Apple if the user requests.
If FileVault is enabled after this profile is installed, the FileVault PRK will be encrypted with the specified
certificate, wrapped in a CMS envelope and written to a file at
This data will also be made available as part of a response to an MDM
Caveats mentioned in the official guide:
- Must be system scoped
- Installing multiple payloads results in an error.
- The previous, deprecated payload (com.apple.security.FDERecoveryRedirect) can be installed but will be ignored.
- If only the old payload is installed when FileVault is turned on, it will cause an error.
- If FileVault was already enabled and escrowed with the old payload, no warning or error will be shown.
A short description of the location where the recovery key will be escrowed. This text will be inserted into the message the user sees when enabling FileVault.
Required. The UUID of a payload within the same profile that contains the certificate that will be used to encrypt the recovery key. The referenced payload must be of type com.apple.security.pkcs1.
Optional. An optional string that will be included in help text if the user appears to have forgotten the password. Can be used by a site admin to look up the escrowed key for the particular machine. Replaces the RecordNumber key used in previous escrow mechanism. If missing, the device serial number will be used instead.