How to Enable FileVault on macOS with Microsoft Intune  

Some of you might be asking what FileVault is. According to Apple, “FileVault is a built-in encryption capability to secure all data at rest. FileVault uses the AES-XTS data encryption algorithm to protect full volumes on internal and removable storage devices.” While that description is technical, FileVault essentially protects data on macOS devices by encrypting the entire hard drive volume. Why is this important? This is important for several reasons, including enhanced data security; if an unauthorized user gains physical access to the device, the encrypted data remains extremely difficult to read without the proper credentials or recovery key. For organizations with compliance and regulatory requirements, this can help meet those standards. 

You can use Microsoft Intune to enable and manage macOS FileVault disk encryption. Ensure the target devices are running macOS version 10.13 or later. This guide focuses on enabling FileVault encryption using an Endpoint Security policy in Microsoft Intune. 

Role Requirements  

• Intune Administrator  
• Security Administrator  

Step by Step Guide to Enable FileVault with Endpoint Security 

1. Go to Microsoft Intune admin center  
2. Click on Endpoint security > Disk encryption > + Create Policy  
3. For Platform, select macOS. For Profile, select FileVault. Click Create. 

On the Basics page, enter a Name that reflects the policy’s purpose (e.g., “macOS – Enable FileVault”) and a detailed Description so other administrators understand its function. Click Next. 

Configure the FileVault settings on the Configuration settings page. 

Set Enable FileVault to Yes. This action reveals additional configuration options and enables full disk encryption (XTS-AES 128) on devices running macOS 10.13 and later.  
 
Recovery key type: Only Personal Recovery Key is supported, so we can’t make any changes there.  
 
Personal recovery key rotation: Specifies how often the device’s personal recovery key rotates (monthly, 1-12 months). Leaving this Not configured (the default) means the key will not automatically rotate based on this schedule. 
 
Escrow location description of personal recovery key: Enter a message guiding users on how to retrieve their recovery key if needed. Example: “To retrieve your recovery key, please contact your IT help desk at contoso.com/help.” 

Number of times allowed to bypass: Defines how many times the user can skip the FileVault enablement prompt (options: 1-10, or Not configured which means no limit/always prompt). The default is Not configured.

Note: To strongly encourage or enforce encryption before the user can proceed, consider setting this to a low number (e.g., 0 or 1) instead of leaving it Not configured. 

Disable prompt at sign out: This setting controls when the user is prompted to enable FileVault. 

• Yes: Prompts the user at the next sign-in. 
• No (or Not Configured – Default): Prompts the user during sign-out. I am leaving this as Not configured, so users will be prompted at sign-out in this example.  

Hide recovery key: Set to Yes to prevent the personal recovery key from being displayed to the end user during the encryption process. This helps prevent the key from being misplaced or misused and avoids potential user confusion. 

If you wanted to copy my configurations for testing purposes, your setup should look similar to this.  

On the Assignments page, specify the groups of users or devices that will receive this policy. Recommendation: Always test policies on a pilot group before deploying to all devices. For this demonstration, “All devices” is selected. Once assignments are configured, click Next. On the Review + create page, verify your settings and click Create. 

End-User Experience 

Retrieving the Recovery Key (Administrator Steps) 

Navigate to Microsoft Intune admin center > Devices > macOS. Select the specific encrypted device for which you need the key (e.g., macOS-VM-03 in the example). In the device’s overview pane, click Recovery keys (under Monitor). 

The FileVault recovery key information will be displayed. Click Show Recovery Key. You may need appropriate permissions and potentially need to provide justification depending on your Intune RBAC and audit logging configuration. 

Result: 

Conclusion: FileVault Enabled

This guide outlines the essential steps for enabling and managing macOS FileVault encryption using Microsoft Intune‘s Endpoint security policy. Properly configuring FileVault is crucial for safeguarding sensitive data and meeting compliance requirements. By following these instructions, IT administrators can effectively deploy and manage FileVault across their macOS devices, enhancing the organization’s overall security posture.