barscaret-downcaret-leftcaret-rightcaret-upcheckchevron-leftchevron-rightfile-pdfinfosign-in-altsignin text-widthtimesyoutube

macOS > Device Data & Configuration

Escrowing the personal recovery key for the encrypted macOS device

Created on December 14th, 2023

Due to restrictions set by Apple, the escrowing personal recovery key with Miradore works only during encryption. This means that escrowing the personal recovery key on an already encrypted macOS device requires some additional steps. After deploying the FileVault configuration profile, access the encrypted macOS device and perform either one of the following:

  • Change the recovery key
  • Disable FileVault

You can find the detailed procedures in the following subsections.

Changing the recovery key

Note: You need to have administrator privileges to perform this procedure.

  1. Open the Terminal on the macOS device.

2. Run the following command:

sudo fdesetup changerecovery -personal

3. Enter the username and password.

Result: The new FileVault recovery key is shown.

4. Log in to the Miradore console.

5. Select Devices, and after that select the device in question.

6. From the Actions menu, select Sync now.

Disabling FileVault

Note: You need to have administrator privileges to perform this procedure.

  1. Open the Terminal on the macOS device.

2. Run the following command:

sudo fdesetup disable

3. Enter the username and password.

Disabling FileVault through terminal

Alternatively, you can perform steps 1 – 3 also from the macOS settings: System settings > Privacy & Security > FileVault.

4. Log out from the macOS device.

5. Log in to the macOS device.

FileVault is enabled automatically, and a new recovery key is generated. Wait for the process to complete.

6. Log in to the Miradore console.

7. Select Devices, and after that select the device in question.

8. From the Actions menu, Select Sync now.

Result: With both options, the last step causes the new recovery key to be collected and stored to Miradore, when the FileVault configuration profile with enabled escrow is deployed to a device.

Note: After selecting Sync now, it takes a while before the recovery key becomes visible.

Next Article:
»