Turning on FileVault Disk Encryption Using a Configuration Profile

Jamf Pro Documentation 11.16.0
Solution
Application
Content Type
Technical Documentation
Utilities & Services
version
11.16.0
ft:locale
en-US
vrm_version
11.16.0

You can turn on FileVault disk encryption on managed computers using a configuration profile. The disk encryption configuration deploys immediately to the computer. It activates at the next user login or logout.
Note: You cannot use an institutional recovery key with a private key to turn on FileVault Disk Encryption using a configuration profile in Jamf Pro. You must create and deploy the disk encryption configuration using a policy in Jamf Pro.
  1. In Jamf Pro, click Computers in the sidebar.
  2. Click Configuration Profiles in the sidebar.
  3. Click New.
  4. Use the General payload to configure basic settings and the distribution method.
    Note: This configuration profile payload can only be applied at the Computer Level. Only payloads and settings that apply to the selected level are displayed for the profile.
  5. Use the Security & Privacy payload to configure FileVault settings.
    Important:

    Configuration profiles configured with the Force Enable In Setup Assistant setting enabled must be deployed as part of a PreStage enrollment in order to turn on FileVault for managed computers. In addition, target computers must have macOS 14.0 or later. If the Account Settings payload in the PreStage enrollment is configured to create an additional local user account, the Local User Account Type must be set to Administrator Account. For more information on how to include a configuration profile in a PreStage Enrollment, see "Installing Configuration Profiles during Automated Device Enrollment" in Automated Device Enrollment for Computers.

    1. Click FileVault.
    2. Use the toggle to include the Enable FileVault setting.
    3. In the Event to prompt FileVault enablement setting, select At Login.
    4. Choose Personal recovery key, Institutional recovery key, or both.
    5. If you are using an institutional key, select the certificate that contains the public key from institutional recovery keychain. You can use the Certificate payload to upload an institutional recovery key to Jamf Pro.
    6. Click Escrow Personal Recovery Key to enable the device to encrypt the personal recovery key with the provided certificate and report it to Jamf Pro.
  6. (Optional) Use the rest of the payloads to configure the settings you want to apply.
  7. Click the Scope tab and configure the scope of the profile.
  8. (Optional) If you chose to distribute the profile in Self Service, click the Self Service tab to configure Self Service settings for the profile.
  9. Click Save .
The FileVault settings are deployed immediately to computers in the scope. Volumes are encrypted after users authenticate to macOS upon logging out.