[Notification] We're upgrading the JumpCloud Support Center the week of September 16th.

Support Center

FileVault 2 System Policy

JumpCloud’s FileVault 2 policy lets administrators remotely enable and enforce FileVault for their JumpCloud managed Mac systems. In addition, the FileVault 2 policy lets admins easily view Recovery Keys for Macs that have been enabled for FileVault through this policy.

Watch a video tutorial: FileVault Management Tutorial


  • The target system must be running macOS 10.13+
  • Users on the system must have a valid Secure Token in order to enable FileVault
    • It is highly recommended that you follow this guide to ensure that any JumpCloud created users have a valid Secure Token
  • Any user on a machine with a valid Secure Token will be added to FileVault once the policy has been successfully enabled

Enablement & Enforcement
Admin Experience
User Experience
Expected Behavior

Admin Experience

  1. As an admin, select Policies > Add Mac Policy > FileVault 2
  2. Configure the FileVault policy with the available options:
    1. Show the FileVault Recovery Key to the user when enabled
      1. When this option is selected, the Recovery Key will be shown to the user once FileVault is enabled
    2. Do not prompt the user to enable FileVault at logout
      1. There are two possible prompt locations for the user to enable FileVault, at login and at logout. With this option selected, the user is not prompted to enable FileVault at logout
    3. Number of times the user can bypass enabling FileVault
      1. When a valid number is entered into this field, the user is able to defer or bypass enabling FileVault until the counter counts down to 0. When the user has no remaining bypasses, they are forced to enable FileVault before they are able to login to their system.​​
  3. Apply the policy to a Group of Systems
  4. Once the policy has successfully been applied to the target system(s), a policy result will be returned indicating that the policy was successfully applied.
    1. If FileVault is already enabled on the system when the policy is applied, we will rotate the Recovery Key on the machine.​Note: if FileVault is already enabled, key rotation may be immediate, but may also take up to one hour.
      1. ​In order for JumpCloud to rotate the Recovery Key, the JumpCloud Service Account must be present on the machine. 
    2. Once the Recovery Key has successfully been rotated, we will surface the new Recovery Key in JumpCloud. 
  5. Depending on the options selected, FileVault will be enabled for the system once the user has completed the activation steps.​​​
  6. With FileVault enabled, a new field will be surfaced for any system that has a Recovery Key returned

  7. At this point, FileVault is now completely enabled for the target system, admins may view the Recovery Key for the device, and users on the system will be unable to disable FileVault.

User Experience

  1. Once the policy is applied to the system, the user will now be prompted at login or logout to enable FileVault
  1. Once the user has selected Enable Now, they will be shown 1- 2 pop-up windows (If the admin has chosen to not show the Recovery Key, it will not be present here.)

  1. At this point, FileVault is enabled on the system.

Expected Behavior

  • The Recovery Key field will not appear on a given system until JumpCloud has received a Recovery Key. JumpCloud will continue to present the system's status as Unencrypted until the FileVault encryption process is complete. After the encryption process is complete, then within the next two hours, JumpCloud will begin to present the system's status as Encrypted.
  • Regarding the bypass counter:
    • Logins/Logouts don’t count against users that have been added after the policy has been applied
    • Logins/Logouts count against any user that is logged in when the policy is applied
    • Fast user switching doesn’t count as a login/logout
    • If all all users are logged in, then logins/logouts count against all users
  • If FileVault is already enabled on the system when the policy is applied...
    • We will ensure that the user is unable to disable FileVault, and a new Recovery Key will be generated
  • If the user attempting to login is not Secure Token enabled, they will be able to continue through the prompts at the login window without actually being able to enable FileVault.
    • Functionally, they will see the window shown below but when they select enable now, they will not be shown a Recovery Key and FileVault will not be enabled.

Last Updated: Jun 12, 2019 02:12PM MDT

Related Articles
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found