Intro to FileVault and Firewall
Understanding how FileVault protects a Mac and the options for storing a personal recovery key helps you support users with an important security feature.
If users store sensitive information on their Mac—for example, your company’s financial data—you can use FileVault to protect files and prevent unauthorized access or copying.
On a Mac with Apple silicon, user data is encrypted automatically. Turning on FileVault adds another layer of security by requiring a login password to decrypt data, even if someone has physical access to the Mac.
FileVault also activates other security features. For example, users need to enter a password to log in when the Mac wakes from sleep or after leaving the screen saver.
After FileVault is turned on, a Mac requires user credentials during the startup process. On a Mac with macOS 26 or later, you can unlock FileVault over ssh after a restart if Remote Login is turned on and a network connection is available.
A device management service administrator will typically turn on FileVault and escrow a personal recovery key (PRK) as part of an organization’s security policy. This ensures that only a user with a local administrator account can decrypt the data volume or access macOS Recovery. A device management service administrator may also configure a recoveryOS password, (sometimes called Recovery Lock). A recoveryOS password adds protection by requiring you to enter a password from the device management service to access macOS Recovery.
macOS includes a built-in adaptive firewall to protect the Mac from network access and denial-of-service attacks. It can be configured by going to System Settings > Privacy & Security, or by using a configuration profile with the Firewall payload installed manually or provided by a device management service.
The firewall in macOS can be configured to:
Block all incoming connections, regardless of app.
Automatically allow built-in software to receive incoming connections.
Automatically allow downloaded and signed software to receive incoming connections.
Add or deny access based on user-specified apps.
Prevent the Mac from responding to ICMP (Internet Control Message Protocol) probing and portscan requests.