Due to restrictions set by Apple, the escrowing personal recovery key with Miradore works only during encryption. This means that escrowing the personal recovery key on an already encrypted macOS device requires some additional steps. After deploying the FileVault configuration profile, access the encrypted macOS device and perform either one of the following:
- Change the recovery key
- Disable FileVault
You can find the detailed procedures in the following subsections.
Changing the recovery key
Note: You need to have administrator privileges to perform this procedure.
- Open the Terminal on the macOS device.
2. Run the following command:
sudo fdesetup changerecovery -personal
3. Enter the username and password.
Result: The new FileVault recovery key is shown.
4. Log in to the Miradore console.
5. Select Devices, and after that select the device in question.
6. From the Actions menu, select Sync now.
Disabling FileVault
Note: You need to have administrator privileges to perform this procedure.
- Open the Terminal on the macOS device.
2. Run the following command:
sudo fdesetup disable
3. Enter the username and password.
Alternatively, you can perform steps 1 – 3 also from the macOS settings: System settings > Privacy & Security > FileVault.
4. Log out from the macOS device.
5. Log in to the macOS device.
FileVault is enabled automatically, and a new recovery key is generated. Wait for the process to complete.
6. Log in to the Miradore console.
7. Select Devices, and after that select the device in question.
8. From the Actions menu, Select Sync now.
Result: With both options, the last step causes the new recovery key to be collected and stored to Miradore, when the FileVault configuration profile with enabled escrow is deployed to a device.
Note: After selecting Sync now, it takes a while before the recovery key becomes visible.
Have feedback on this article? Please share it with us!
Next Article:
How to change a user for a Mac device »