Category filter

Script to forcefully enable/disable FileVault on Mac.

FileVault is a security feature available on Mac computers that encrypts the contents of the startup disk. This helps to protect sensitive data from unauthorized access, even if the computer is lost or stolen. Although FileVault is an effective means of securing data on Mac computers, it can present some challenges for system administrators. Specifically, managing FileVault settings across multiple computers can be a time-consuming and error-prone process, particularly when dealing with a large number of devices.
One way to simplify the process of managing FileVault is by using a script to force enable or disable the feature. This script can be run on multiple machines simultaneously, saving time and reducing the chance of errors. By automating this process, system administrators can ensure that all machines are set up consistently and securely, without the need for manual intervention. The Execute Custom Script action lets you execute these customized scripts on different endpoints remotely.

Scripting language – Bash

File extension – .sh


The sample scripts provided below are adapted from third-party open-source sites.

Enable FileVault

Execute this script to enable FileVault without manual intervention.

The fdesetup command can be used to enable or disable FileVault.

Replace Username and password with the username and password of the account for which FileVault is to be enabled.

Disable FileVault

Execute this script to disable FileVault without manual intervention.

What happens at the device end?

After pushing the script from the terminal, the disk encryption process begins silently without prompting the user. You can refer to this script document to check the encryption status.

Common errors

  • Warning: One or more Secure Token users, including Username has a blank password. Filevault enabling requires all users to have a password.
  • Solution: Set password for the Username specified.

  • Warning: master keychain was found. Add -keychain to explicitly specify the master keychain.

    Reason: The fdesetup utility is unable to determine which keychain to use to access the master encryption key for FileVault full-disk encryption.

    Solution: To resolve this error, you need to explicitly specify the keychain to use by adding the -keychain option to the fdesetup command.
    For eg:

    In this command, /Library/Keychains/System.keychain is the path to the system keychain, which is the master keychain used by the operating system to store sensitive information like encryption keys.


  • It is recommended to manually validate the script execution on a system before executing the action in bulk.
  • Hexnode will not be responsible for any damage/loss to the system on the behaviour of the script.

  • Sample Script Repository