Connect
Ask Community
Ask the community
Ask Community
  • Home
  • macOS
  • macOS FileVault policy applied but encryption stays disabled or recovery key is not escrowed

macOS FileVault policy applied but encryption stays disabled or recovery key is not escrowedSolved

Profile photo of boris
boris
Participant
Discussion
Hexnode UEM
2 days ago Jun 21, 2026

We are trying to clean up FileVault compliance for a large group of managed Macs. Some devices have FileVault disabled, while others already have FileVault enabled but do not seem to have the personal recovery key escrowed in Hexnode. Previously, we were using a manual script-based process after assigning a FileVault policy, but the results were inconsistent.

Sometimes FileVault stayed off in System Settings, sometimes the device showed as encrypted but still non-compliant, and in a few cases users had issues after restarting. What is the recommended way to handle both types of Macs: devices where FileVault is disabled and devices where FileVault is already enabled but the recovery key is missing?

topic view count 10 Views
Reply

Replies (1)

Marked SolutionPending Review
Profile photo of mary_romero Hexnode Expert image
mary_romero
Hexnode Expert
2 days ago Jun 21, 2026
Marked SolutionPending Review

For this scenario, you can use a single FileVault policy for both sets of macOS devices.

Configure the FileVault policy with the following settings:

1. Enable FileVault using both institutional and personal recovery keys.

2. For the institutional recovery key certificate, the default Hexnode certificate can be used.

3. Set “Skip enabling FileVault at user login” to 0.

For Macs where FileVault is currently disabled, apply the policy and restart the device. After restart, the user should be prompted during login to enable FileVault. Encryption will not necessarily begin immediately just because the policy is assigned; the restart and user login prompt are required.

For Macs where FileVault is already enabled but the personal recovery key is not escrowed, apply the same policy first. Then run the following command on the Mac:

sudo fdesetup changerecovery -personal

After the command completes, perform a device scan from Hexnode so that the updated recovery key information can be escrowed and reflected in the device record.

You can verify the FileVault status from Hexnode by opening the device and checking Device Info > Security Info.

Regards,
Mary Romero

Load more
Save
Related Topics

Leaderboard

Popular Tags

ABM (70)
Android (601)
iOS (445)
macOS (539)
Windows (406)
Apple TV (33)
App Management (485)
Enrollment (157)
Location (34)
Kiosk (288)
Scripts (103)
ADE (61)
OS Updates (88)
Android Enterprise (161)
View all