Connect
Ask Community
Ask the community
Ask Community
  • Home
  • macOS
  • FileVault policy keeps macOS FileVault settings greyed out and recovery key is not always visible

FileVault policy keeps macOS FileVault settings greyed out and recovery key is not always visibleSolved

Profile photo of luke
luke
Participant
Discussion
Hexnode UEM
2 days ago Jun 17, 2026

I’m managing a couple of macOS devices with a FileVault encryption policy in Hexnode. The problem is that FileVault is controlled by policy, so the option to turn it off on the Mac is greyed out in System Settings. I don’t want to remove the whole MDM profile just to reset FileVault.

The devices are targeted through device groups, and I was trying to remove the FileVault policy temporarily, let the users disable/re-enable FileVault, and then push the policy again so the recovery keys are escrowed properly. What’s the safest way to do this?

topic view count 11 Views
Reply

Replies (1)

Marked SolutionPending Review
Profile photo of mary_romero Hexnode Expert image
mary_romero
Hexnode Expert
3 days ago Jun 16, 2026
Marked SolutionPending Review

For macOS devices, FileVault settings can appear greyed out when an MDM FileVault configuration profile is still applied to the device. To allow the user to disable FileVault locally, the FileVault policy must first be removed from the device.

If the policy is assigned through device groups, check all groups associated with the FileVault policy. If the device is targeted through a custom group, remove the device from that group. If it is targeted through a dynamic device group, add the device as an exception to the dynamic group criteria.

A typical workflow would be:

1. Go to Manage > Device Groups.

2. Open each device group associated with the FileVault policy.

3. If it is a dynamic group, add the affected Mac as an exception.

4. Save the group.

5. Run Sync Now or scan the device so the policy removal is reflected on the Mac.

6. Once the FileVault policy is removed, the user should be able to disable FileVault from macOS System Settings.

7. After FileVault is disabled, remove the exception from the dynamic group.

8. Save the group again and sync the device.

9. The FileVault policy will be pushed back to the Mac.

When FileVault is enabled again, ensure the policy is configured to escrow the recovery key so that the key is stored in the Hexnode portal.

Regards,
Mary Romero

Load more
Save
Related Topics

Leaderboard

Popular Tags

ABM (69)
Android (594)
iOS (440)
macOS (536)
Windows (402)
Apple TV (33)
App Management (477)
Enrollment (156)
Location (34)
Kiosk (284)
Scripts (103)
ADE (61)
OS Updates (88)
Android Enterprise (161)
View all