You can turn on FileVault encryption on computers in your environment using the built-in functionality in Jamf Pro. FileVault is the native encryption capability built into Mac computers. Enabling it with Jamf Pro makes computers require a user's credentials to complete the boot process, ensuring that data on the computer is secure. Additionally, after a computer turns on FileVault and escrows its personal recovery key (PRK) with Jamf Pro, you can use that key to reset user passwords and access macOS recovery.
You can turn on FileVault using the following methods available in Jamf Pro:
- Deploy a configuration profile with FileVault settings
- With this method, the settings install immediately, prompting the end user to turn on FileVault either at login or logout. If configured to use a PRK, the computer escrows the key with Jamf Pro at the time of the next inventory update. Jamf recommends this method for most environments.
- Deploy a disk encryption configuration with a policy
- With this method, the settings install at the time the policy is configured to be run, prompting the end user to turn on FileVault either at login or logout. If configured to use a PRK, the Jamf management framework on the computer escrows the key with Jamf Pro immediately upon running the policy. Jamf recommends this method for environments where advanced user experience customizations or custom triggers are required.
Note:
After FileVault has been turned on for target computers, you can use Jamf Pro to view the PRK and issue a new one.Choose only one method to enable FileVault. Using more than one method per target computer can result in unexpected behaviors.