Managing FileVault in macOS
On devices with macOS, organizations can manage FileVault using SecureToken or Bootstrap Token.
Using Secure Token
Apple File System (APFS) in macOS 10.13 or later changes how FileVault encryption keys are generated. In previous versions of macOS on CoreStorage volumes, the keys used in the FileVault encryption process were created when a user or organization turned on FileVault on a Mac. On devices with macOS on APFS volumes, the keys are generated either during user creation, setting the first user’s password, or during the first login by a user of the Mac. This implementation of the encryption keys, when they’re generated, and how they’re stored are all part of a feature known as Secure Token. Specifically, a secure token is a wrapped version of a key encryption key (KEK) protected by a userʼs password.
When deploying FileVault on APFS, the user can continue to:
Use existing tools and processes, such as a personal recovery key (PRK) that can be stored with a mobile device management (MDM) solution for escrow
Defer enablement of FileVault until a user logs into or out of the Mac
Create and use an institutional recovery key (IRK)
In macOS 11, setting the initial password for the very first user on the Mac results in that user being granted a secure token. In some workflows, that may not be the desired behavior, as previously, granting the first secure token would have required the user account to log in. To prevent this from happening, add ;DisabledTags;SecureToken
to the programmatically created user’s AuthenticationAuthority
attribute prior to setting the user’s password, as shown below:
sudo dscl . append /Users/<user name> AuthenticationAuthority ";DisabledTags;SecureToken"
Using Bootstrap Token
macOS 10.15 introduced a new feature—Bootstrap Token—to help with granting a secure token to both mobile accounts and the optional device enrollment-created administrator account (“managed administrator”). In macOS 11, a bootstrap token can grant a secure token to any user logging in to a Mac computer, including local user accounts. Using the Bootstrap Token feature of macOS 10.15 or later requires:
Mac enrollment in MDM using Apple School Manager or Apple Business Manager, which makes the Mac supervised
MDM vendor support
In macOS 10.15.4 or later, a bootstrap token is generated and escrowed to MDM on the first login by any user who is Secure Token–enabled if the MDM solution supports the feature. A bootstrap token can also be generated and escrowed to MDM using the profiles
command-line tool, if needed.
In macOS 11, a bootstrap token may also be used for more than just granting secure token to user accounts. On a Mac with Apple silicon, a bootstrap token, if available, can be used to authorize the installation of both kernel extensions and software updates when managed using MDM.
Institutional versus personal recovery keys
FileVault on both CoreStorage and APFS volumes supports using an institutional recovery key (IRK, previously known as a FileVault Master identity) to unlock the volume. Though an IRK is useful for command-line operations to unlock a volume or turn off FileVault altogether, its utility for organizations is limited, especially in recent versions of macOS. And on a Mac with Apple silicon, IRKs provide no functional value for two primary reasons: First, IRKs can’t be used to access recoveryOS, and second, because target disk mode is no longer supported, the volume can’t be unlocked by connecting it to another Mac. For those reasons and more, the use of an IRK is no longer recommended for institutional management of FileVault on Mac computers. Instead, a personal recovery key (PRK) should be used.