Overview
If you’ve confirmed that the Swif.ai FileVault policy is deployed to your Mac but the Mac isn’t prompting you to enable FileVault, a few common issues might be blocking the prompt. This article walks you through the key steps to diagnose and fix the issue.
Note: Once FileVault is turned on, Swif.ai automatically escrows (securely stores) your recovery key. You don’t need to manually manage that key.
1. Verify the Policy Is Installed and In Scope
Check Swif.ai Console
Log in to your Swif.ai dashboard and ensure the Mac is included in the correct group or profile for FileVault.
Confirm the policy status indicates it has deployed successfully to the device.
Confirm Local Device Receipt
On the Mac, open System Settings (or System Preferences) > Profiles.
Look for a Swif.ai profile referencing FileVault or disk encryption. If no profile is listed, try re-deploying the policy via Swif.ai.
2. Log Out (or Restart) Properly to Trigger the Prompt
On macOS Catalina or later, the FileVault prompt usually appears upon logging out and back in (rather than just restarting).
For macOS Mojave or earlier, a restart may trigger the prompt.
Try logging out (Apple menu > Log Out) and then logging in again. If that doesn’t work, try a full shutdown and restart, then log back in.
3. Confirm the User Has Admin Permission and a Secure Token
3A. Check If the User Is an Admin
Open System Settings > Users & Groups and confirm the user in question is listed as Administrator.
If they are a Standard account, consider making them an admin or have an existing admin user enable FileVault.
3B. Check Secure Token Status
Open Terminal and run:
sysadminctl -secureTokenStatus <username>
Replace
<username>with the short name of the user who should see the FileVault prompt.If it says “Secure token is ENABLED,” proceed.
If it says “Secure token is DISABLED,” you must enable it.
Enable Secure Token (If Disabled)
Log in with an admin account that does have a Secure Token.
Run:
sysadminctl -secureTokenOn <username> \ -password <userPassword> \ -adminUser <adminName> \ -adminPassword <adminPassword>
Replace the placeholders with real credentials.
After granting a token, log out/in with the target user to see if the prompt appears.
4. Check for Swif.ai Deferral Settings or User Deferrals
Some organizations allow FileVault deferrals via their Swif.ai policy. This can let users postpone enabling FileVault for a set number of logins or restarts. If a user repeatedly deferred, the system may temporarily stop prompting.
Review the Swif.ai Policy
In your Swif.ai console, check how many deferrals are allowed and how prompts are triggered (e.g., at login, logout, or after a certain number of days).
If the user has exhausted deferrals or previously canceled the prompt too many times, the Mac might not show it again automatically.
Re-Push or Adjust the Policy
If you suspect the Mac got stuck in a deferral state, consider removing the device from the FileVault scope, saving changes, then adding it back.
Prompt the user to log out and back in after you reassign the policy. In many cases, this reinitializes the prompt sequence.
5. Disable Automatic Login and Confirm a Valid Password
Check Automatic Login
Go to System Settings > Users & Groups > Login Options, ensure Automatic login is off.
macOS needs a password at startup for FileVault, so it won’t prompt you if auto-login is enabled.
Verify the User Has a Password
If the user account has no or a blank password, FileVault cannot be turned on.
Set or reset the account password if necessary.
6. Look for Conflicting Keychains or Encryption Artifacts
Sometimes older encryption setups or leftover keychains can silently block FileVault prompts.
6A. Check Current FileVault Status (via Terminal)
In Terminal, run:
fdesetup status
It should say “FileVault is Off” if encryption isn’t enabled yet.
Then run:
sudo fdesetup list
If FileVault is truly off, this usually returns nothing or an error.
If it lists users, it may indicate a partial or deferred FileVault setup from the past.
6B. Remove Institutional Keychain If Present
Check for a FileVaultMaster.keychain:
ls /Library/Keychains/FileVaultMaster.keychain
If this file is present but you’re not intentionally using an institutional recovery key, remove it (while FileVault is off):
sudo rm /Library/Keychains/FileVaultMaster.keychain
Then log out/in or restart to see if the prompt appears.
6C. Remove Deferred Setup Plist (Advanced)
If a deferred setup was configured in the past (e.g., via fdesetup -defer), the Mac might think a prompt is already scheduled—or is stuck.
Check the deferred plist:
sudo defaults read /Library/Preferences/com.apple.fdesetup.plist
If it’s referencing a deferred user but not prompting, remove it:
sudo rm /Library/Preferences/com.apple.fdesetup.plist
Re-push the Swif.ai FileVault policy or run
fdesetup -deferagain if needed. Log out/in to trigger a fresh prompt.
7. Manually Enable FileVault (Optional Testing)
If the Mac still won’t show a prompt:
In Terminal, run:
sudo fdesetup enable
Enter credentials for a Secure Token–enabled admin user when prompted.
If it succeeds, FileVault should begin encrypting the disk immediately.
If it fails with a secure token or keychain error, refer back to the relevant step above to fix the root cause.
8. Confirm FileVault Has Started Encrypting
System Settings > Privacy & Security > FileVault:
You should see “FileVault is turning on” or “FileVault is on.”
Terminal:
fdesetup status
It will say “FileVault is On” once encryption is active (or in progress).
Conclusion
Confirm the Swif.ai FileVault policy is deployed correctly.
Trigger the prompt by logging out/in or rebooting—depending on your macOS version.
Verify the user is an admin with a Secure Token, and check that no deferrals or conflicting artifacts are blocking the prompt.
Use Terminal commands (
fdesetup status,fdesetup enable) to diagnose advanced issues.
With these steps, you can typically resolve why the Mac isn’t prompting for FileVault. Once enabled, Swif.ai automatically escrows your recovery key. If you continue experiencing issues, please reach out to your IT admin or Swif.ai Support.