device stuck in login screen

expand collapsive

One of our employee’s Macs got stuck on the login screen after restarting the device. The employee had forgotten the password, so he tried to reset the device by entering the recovery mode. But it asked for the recovery key. So how do I get the device out of this state? Can Hexnode help?

All Replies

  • Hexnode

    Evin Lee


    Hi @darien-jaylen-22,

    The Hexnode agent app won’t be active if the device is on the login screen that appears after restarting the device. Hence, you will be unable to push any actions or policies to your device from the Hexnode portal. As you have enabled FileVault via the Hexnode portal, the recovery key can be obtained from the portal. However, it is possible only if the Escrow Personal Recovery Key option is already checked in the FileVault policy.

    To obtain the escrowed personal recovery key, you can go to Manage > Devices > Device Info > Security Info and click on Decrypt FileVault Recovery Key. It will display a menu asking whether the FileVault recovery key is automatically encrypted by Hexnode or was encrypted with a certificate. If it was encrypted automatically, you could click on Decrypt to retrieve the key. On the other hand, if it was encrypted with a certificate, you will need the certificate to get the key.

    You can use the obtained recovery key to log in to the device. However, if the Escrow Personal Recovery Key option is not enabled, you can erase the device and reinstall the OS to log in to the device.

    I hope this helps. Do reach out if you have any further queries.

    Evin Lee
    Hexnode UEM

  • Participant



    I’m going to use the personal recovery key to enable FileVault on the devices, and escrow the key to the portal. There is an option to add a certificate to encrypt the key. But how can i create this certificate?

  • Hexnode

    Evin Lee


    Hi @alondra,

    Thanks for reaching out to us.

    You can create a certificate using the Terminal on Mac devices. Run the command given below to get the job done.

    Replace “/folderpath” with the path you want to save the certificates on the device.

    After running the command, it will create three certificates “public.crt”, “rsa_private.pem”, and “rsa_public.pem” on the specified locations.

    You can upload the certificate “public.crt” to Policies > macOS > Security > Certificates. Then, the certificate will be available to use in the FileVault policy. In the same policy, go to FileVault > Choose Encryption method, and select the Manually specify encryption key option. You can then choose the uploaded certificate from the Encryption Certificate option. Finally, associate the policy with your devices.

    You can decrypt the recovery key by uploading the “rsa private.pem” file in the ‘Decrypt FileVault Recovery Key‘ pop-up window.

    Hope this suits your requirements.

    Evin Lee
    Hexnode UEM