How get recovery key for mac filevault
Select the View Recovery Key and note the Personal Recovery Key that is escrowed.elect Security from the More drop down menu.To view an escrowed recovery key on the SSP portal, perform the following steps: The personal recovery key can also be viewed on the Self Service Portal, where the FileVault Personal Recovery Key (PRK) is automatically rotated 15 minutes after being accessed by the device user. View Escrowed Personal Recovery Key on the SSP If an encrypted macOS volume is decrypted and then re-encrypted, then the previous personal recovery key would become invalid and a new one is created as part of the re-encryption process. The Previous Recovery Key field is loaded with the old key only if the Personal Recovery Key had been rotated at least once. If required, note the Previous Recovery Key.Note the Personal Recovery Key that is escrowed.To view an escrowed recovery key, perform the following within the Device Details page on the UEM console. The personal recovery key is generated when FileVault 2 encryption is enabled and remains valid until the personal recovery key is changed or the disk is decrypted using that key. View Escrowed Personal Recovery Key on the UEM Console Once FileVault is enabled on the device, the Personal Recovery Key will be reported to a Workspace ONE UEM server or another designated server. Choose Personal as the recovery type and configure the recovery key settings as needed.Personal recovery encryption is useful if the user wants the benefit of viewing and keeping a Personal Recovery Key from decrypt. After a reboot, the device will begin the encryption process in the background and the user can continue their daily tasks normally without fear of interruption.Įnable Personal Recovery Encryption for a macOS Device If configured, users may also be shown the recovery key to give them the option of saving it for later use. Once this profile is deployed to the device, the user will see a prompt from the Workspace ONE Intelligent Hub taking them through the process of encrypting the disk. This means that the compromise of one key on one device does not compromise the security of other devices. Also, Personal keys are beneficial because they are unique to each device. Use Personal keys rather than Enterprise keys because Workspace ONE UEM can audit access to these keys, since they are escrowed in the UEM console. Additionally, that key can be reported to the UEM console to allow administrators to use the key to decrypt the device if necessary. Once FileVault is enabled on the device, the Institutional Recovery Key will be reported to the server.Įnabling Personal as the recovery type will allow the user of the device to use a recovery key to decrypt their device. For more information, see the Configure a FileVault Institutional Recovery keysection. Configure a FileVault Master Keychain.Choose Institutional as the recovery type and configure the recovery key settings as needed.Generally, Institutional recovery is reserved for Corporate Owned, Line-of-Business devices where the user does not have the ability to decrypt the device if they forget the login password. Institutional recovery is beneficial because the network administrator can decrypt any device using a single Institutional Recovery Key, saving time by not needing to enter a unique Personal Recovery Key for each computer. Once FileVault is enabled on the device, the Personal Recovery Key will be reported to the server.
These include recovery keys for Personal use, Institutional use, or a combination of both. Once the decision is made to encrypt your managed devices, you have options that allow you to choose the best recovery model for your deployment. With FileVault2, Workspace ONE UEM builds on native capabilities to encrypt the drive and provides functionality within the Workspace ONE Intelligent Hubto force the user to complete the encryption process.
Enforce an encryption policy on macOS computers to protect data on the hard drive and escrowing recovery keys stored in Workspace ONE UEM so the keys can be recovered at later time.