AzureFeeds

By: Marc Nahum – Senior Product Manager | Microsoft Intune

FileVault is Apple’s built-in disk encryption technology for macOS. To deploy FileVault securely and effectively in an enterprise setting, it requires a deeper understanding.

Originally launched in 2005 with Mac OS X 10.3 Panther, FileVault has evolved significantly. The release of FileVault 2 in 2011 with Mac OS X Lion marked a major upgrade. Since then, Apple has continued to improve its capabilities. For example, macOS Sequoia now supports unlocking FileVault using Microsoft Entra ID credentials through Platform SSO.

In this blog, you’ll learn how to:

• Enable FileVault for macOS using Microsoft Intune


• Use and manage recovery keys


• Manually import FileVault recovery keys into Intune


• Troubleshoot FileVault issues during device migration to Intune

Although FileVault has been around for nearly 20 years, much of the guidance available online is outdated or based on older versions of macOS. This blog focuses on current best practices for enterprise deployment, specifically for:

• Devices running macOS Sonoma (version 14) or later


• Apple silicon hardware


• Microsoft Intune as the mobile device management (MDM) solution for policy enforcement and recovery key escrow
  
  

Legacy methods, such as Institutional Recovery Keys, are now considered obsolete and won’t be covered. Instead, we focus on building a modern, secure, and maintainable FileVault deployment strategy.

Are recent Mac devices encrypted by default?

Yes. Apple silicon Macs,and Intel-based Macs with a T2 Security Chip, are encrypted by default at the hardware level. This encryption uses a unique identifier stored in the Secure Enclave.

However, the encryption becomes user-aware and policy-enforceable only when FileVault is enabled. Once activated, FileVault enhances security by linking the encryption to the user’s login password in addition to the hardware-based key. This ensures that access to the data requires proper user authentication.

Apple provides detailed information on this process in their Apple Platform Security Guide.

Enabling FileVault with Intune

FileVault is a key component of macOS security and should be considered a mandatory requirement for organizations except where local laws explicitly prevent it.

Intune offers several ways to configure FileVault, but the settings catalog is the recommended approach. It helps avoid policy conflicts and ensures consistent, reliable behavior across devices. It’s also the most future-proof method, as it aligns with ongoing platform and Intune updates.

📋 Steps to configure FileVault via settings catalog

1. Login tothe Microsoft Intune admin center


2. Navigate to Devices > macOS


3. Create a new configuration profile:
   
   
   
   1. Profile type: Settings Catalog
      
       
      
   
   
   
   


4. Name the profile and provide a clear description


5. In the Settings Picker, locate Full Disk Encryption and configure the following in the subsections
   
   
   
   1. FileVault
      
      
      
      • Defer → Enabled
      
      
      • Enable → On (default)
      
      
      • Force Enable In Setup Assistant → True
      
      
      • Recovery Key Rotation in Months → (e.g., 6 months)
        
        
      
      
      
      FileVault Options
      
      
      
      • Prevent FileVault From Being Disabled → True
        
        
      
      
      
      FileVault Recovery Key Escrow
      
      
      
      • Location → Your Enterprise Name
         
      
      
      
       
   
   
   2. Note: The Defer setting was mandatory in certain versions of macOS. While this might not be required in the latest releases, it’s still recommended to enable it for added security and a more predictable user experience.
      
      
   
   
   
   


6. Proceed through Scope tags and Assignments.

It’s recommended to assign the profile to All devices (interpreted here as “all Macs”), use filters if needed. The usage of static groups of devices is also an option but dynamic device groups are not compatible with the “Force Enable In Setup Assistant” option, which is needed for enforcing encryption during the setup assistant without user intervention.

If you’re using Platform SSO with Password synchronization you can use the FileVault Policy setting to force the device, connected to the network, to check Microsoft Entra ID password when a device is turned back on (macOS 15 and later).

This setting can be found in the setting catalog under Authentication / Extensible Single Sign On (SSO) / Platform SSO

And must be set to: AttemptAuthentication

Refer to this article to properly configure Platform SSO and select the method to use it: Configure Platform SSO for macOS devices in Microsoft Intune.

Once the profile is deployed and the device receives the configuration, FileVault will be activated and the recovery key securely escrowed in Intune.

The key is stored in the device properties, Recovery Keys section and is accessible only to admins with proper role-based access. All access is audited.

If the device is set as “Personal” in Intune, the recovery key will not be visible in the admin center.

Enrolled with Automated Device Enrollment with the device in Apple Business Manager	Enrolled from Intune Company Portal as a bring-your-own device

In cases where FileVault isn’t enabled during Setup Assistant, such as in bring-your-own-device (BYOD) scenarios using the Intune Company Portal, the same policy will trigger FileVault activation after the next reboot, prompting the user to take the necessary actions.

Using the FileVault recovery key

The FileVault recovery key serves as a secure fallback for users who forget their login password. When used properly, it allows access to the Mac without requiring a password reset or device re-enrollment.

While Apple documents the recovery key process on their support site, one useful detail is often overlooked:

If the ”?” icon doesn’t appear on the Mac login screen, users can select Shift + Option + Return to manually bring up the recovery key prompt.

This can be particularly helpful during support scenarios where the user is locked out, but the device is still enrolled and reachable via Intune. At this stage, the Mac has completed booting and can still receive remote commands such as running scripts or executing device actions.

Manually escrowing an existing recovery key

If FileVault is already enabled on a Mac before it’s enrolled in Intune, users can manually escrow their personal recovery key using the Intune Company Portal. This is especially useful in bring-your-own-device (BYOD) scenarios or in loosely managed enrollment flows, where FileVault may have been activated outside of the IT admins control.

Steps to import the recovery key:

1. Verify FileVault status
   
   
   
   1. Launch Terminal and run: fdesetup status
   
   
   2. This confirms whether FileVault is currently enabled.
   
   
   
   

1. Rotate and display the recovery key
   
   
   
   1. Run the following command to generate a new personal recovery key:
      sudo fdesetup changerecovery -personal
   
   
   2. The user must have administrator privileges to execute this command.
   
   
   
   

1. Upload the recovery key to Intune using the Company Portal website.
   
   
   
   1. Open a browser and navigate to: https://portal.manage.microsoft.com
   
   
   2. Select the corresponding Mac device (if prompted)
   
   
   3. Choose “Store Recovery Key” and paste the new key from the Terminal output
   
   
   
   

On the same page, users can also retrieve an existing recovery key if it has already been escrowed.

This manual method ensures that devices encrypted outside the MDM provisioning flow can still benefit from secure recovery key escrow and retrieval through Intune.

Migrating to Intune

A common challenge when migrating to Intune from another MDM is that FileVault may already be enabled. Aside from the manual steps, organization’s might consider another approach which is to automate the escrow of existing recovery keys using tools  like Escrow Buddy, an open-source tool developed by Netflix.

For all considerations of migrating to Intune we wrote another blog on it: aka.ms/Intune/mac-migration.

Reach out for help

If you’re interested in learning more about FileVault and other Mac scenarios, there are a couple more things you can do.

Join our Microsoft Mac Admins community on LinkedIn. Our product teams are there, plus thousands of others who’re using Intune to manage their Apple devices in a Microsoft Enterprise environment. If you have a question about Microsoft and Mac, someone in this community will likely have the answer.

If you have 150 Microsoft 365 licenses or more, you can also Request FastTrack assistance. Our FastTrack team are experts at helping our customers make the most of their investment in Microsoft technologies.

Lastly, if you’re looking for a deeper engagement, consider finding a Microsoft partner to support your migration needs.

If you have any questions or want to share how you’re managing and migrating your Apple macOS devices in Intune, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn: aka.ms/IntuneLinked.