Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Security Posture & Compliance

Category filter

The Definitive Guide to Automating Personal Recovery Key (PRK) Escrow

Jump To

If a user forgets their macOS login password and their Mac is encrypted with FileVault, a recovery key is the only way to regain access to the data. Relying on end-users to safely store their own Personal Recovery Key (PRK) often leads to permanent data loss.

Hexnode UEM solves this by automating the Escrow process—silently capturing the PRK as it is generated on the Mac and securely storing it within the Hexnode UEM console for IT retrieval.

1. How PRK Escrow Works in Hexnode?

Instead of displaying the alphanumeric recovery key to the end-user and asking them to write it down, Hexnode’s UEM profile intercepts the key generation process.

Once the user authenticates and FileVault begins encrypting the disk, macOS securely transmits the PRK over the encrypted UEM channel directly to the Hexnode UEM server. The user is unaware of the key, maintaining a zero-trust approach where only authorized IT admins can retrieve it.

2. The Technical Handshake: How Escrow Works?

To guarantee security and prevent the key from ever being exposed locally, the PRK escrow follows a strict, automated sequence between macOS and the Hexnode server:

Step-by-Step Breakdown:

  1. The Policy Arrives: Hexnode deploys the FileVault configuration profile to the Mac, instructing it to turn on encryption and enable escrow.
  2. The Prompt: macOS intercepts the user at their next login or logout, prompting them that their organization requires their disk to be encrypted.
  3. User Authorization: The user types in their standard Mac login password to authorize the action.
  4. Key Generation: macOS generates the unique Personal Recovery Key (PRK) in the background.
  5. Secure Escrow: Before showing the key to anyone, macOS encrypts the PRK and sends it over the secure channel directly to the Hexnode UEM server.
  6. Secure Storage: Hexnode receives the key and locks it in its encrypted database, tying it to that specific device’s record.
  7. Encryption Begins: With the key safely stored off-site, macOS begins the actual process of encrypting the hard drive.

3. Configuring the Automated Escrow Policy

To enforce this workflow, administrators must configure a specific FileVault policy in the Hexnode portal (Policies > New Policy > Create a fully custom policy > macOS > Security > FileVault).

Key configurations required for PRK Escrow:

  • Recovery Key Type: Select Personal Recovery Key (or Institutional and Personal Recovery Key if your organization requires a master fallback).
  • Escrow Personal Recovery Key: This box must be checked. This is the exact command that tells macOS to send the key to the Hexnode server.
  • Escrow Location Description: A required text field explaining to the user where their key is stored (e.g., “Your recovery key is securely stored by the IT Department”).
  • Show Personal Recovery Key to user: Leave this unchecked/disabled.
    Crucial Step: If this is checked, macOS will display the key to the user on their screen. To maintain a silent escrow where only IT possesses the key, this must be turned off.
  • Bypass Setup Assistant: Enabling this prevents the user from being prompted to unlock FileVault during the initial macOS Setup Assistant, deploying the encryption prompt to their standard user login instead.

4. The End-User Experience

Once the policy is deployed to the device, the automated process follows these steps:

  1. The Prompt: The user is prompted to enable FileVault at their next login or logout (depending on your deferral settings).
  2. Authentication: The user enters their Mac login password to authorize the encryption.
  3. Silent Escrow: macOS begins encrypting the drive in the background. The PRK is generated and silently escrowed to Hexnode. The key is not displayed to the user.

5. Admin Key Retrieval (Helpdesk Protocol)

When a user is locked out of their Mac, an IT administrator can retrieve the escrowed PRK to unlock the device and reset the user’s password.

To retrieve the key:

  1. Navigate to Manage > Devices and click on the locked-out Mac.
  2. On the Device Summary page, scroll down to the Security Info section.
  3. Locate the FileVault Recovery Key field and click Decrypt.
  4. The PRK will be displayed in plain text.
  5. The admin provides this key to the user (or inputs it directly) at the macOS login screen to unlock the volume.

6. Troubleshooting Escrow Failures

If a device fails to escrow the PRK, check these two common technical roadblocks:

Missing Secure Token: For a user account to enable FileVault and generate a PRK, macOS requires that user to hold a “Secure Token.” If the user does not have one, the policy will fail. Admins can grant a secure token remotely via Hexnode’s Execute Custom Script action using the following Terminal command:

Invalid or Out-of-Sync Keys: If a device is un-enrolled and re-enrolled into Hexnode, the previously escrowed PRK may become invalid. You can force macOS to generate and escrow a brand new PRK by running this custom script:

(Follow this by initiating a Scan Device action from the Hexnode console to ensure the new key syncs).

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework