About

To get started on encrypting your macOS devices with FileVault 2. 

Getting Started

What is FileVault?

FileVault full-disk encryption uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk. This feature comes already built-in to macOS.

What is a Secure Token?

A Secure Token is a user attribute that needs to be added to a user before that user can unlock the OS on boot. FileVault 2 relies on Secure Tokens to determine which users can unlock the encrypted partitions on FileVault devices.

The Secure Token is automatically given to the account that gets created during first time setup.

What does the user experience look like?

Once FileVault is enabled and the device is encrypted, there will be a new startup experience with a FileVault login screen, and will occur upon every restart. This login looks like the traditional macOS login screen and can easily be mistaken as such. 

The available users that can be selected to login are based on the users that have a Secure Token on their account.  

Once a user logins into FileVault, the default configuration will have that account automatically login and skip the macOS login screen. If you want it to go to the macOS login screen, you can modify it, by running the following command in Terminal. 

sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutologin -bool YES

Prerequisites for FileVault

• Device is enrolled into Jamf Pro
  • More Info: Enrolling Devices into Jamf Pro
• Devices have a User assigned to them in Jamf Pro
  • More Info: Assigning a User to a Computer in Jamf Pro
• Users have a Secure Token on their device.
  • More Info: Granting an Assigned User a Secure Token using Jamf Pro

Enabling FileVault

Using a Jamf Pro Policy

Use the following guide here: Deploying a FileVault Policy using Jamf Pro