Overview
FileVault is Apple's full-disk encryption (FDE) feature that protects data on your Mac's startup disk using XTS-AES-128 encryption with a 256-bit key. Swif can securely escrow your FileVault recovery key so your IT team can assist with disk access if needed.
If the recovery key displayed in Swif is missing or outdated, you can use the Refresh button to trigger a new key retrieval. This article explains how the refresh process works, what happens behind the scenes, and what to expect if it fails.
Prerequisites
The macOS device must be enrolled in Swif MDM.
FileVault must be enabled on the device.
A FileVault policy with Escrow Recovery enabled must be assigned to the device.
How to Refresh the Recovery Key
Log in to the Swif web app (or EU instance).
Navigate to Inventory > Devices.
Select the macOS device you want to refresh the recovery key for.
Go to the Security tab.
Click the Refresh button next to the Recovery Key section.
Once clicked, Swif initiates the recovery key refresh workflow on the device.
How the Refresh Workflow Works (Technical Detail)
When you click Refresh, the system follows a multi-step process involving the MDM Server, the Swif Agent, and the Swif Desktop App:
Step 1 — Security Information Request
Swif requests the latest security information from Apple for the device.
Step 2 — Key Check & Decryption
If an FDE (FileVault) policy exists, the system checks whether the recovery key data is included in Apple's response:
If the key IS received: The system decrypts it and stores it via a Kafka callback. The key will appear in the Security tab.
If the key is NOT received: This typically means FileVault was enabled before Swif enrollment. Apple does not share existing recovery keys with MDM solutions enrolled after the fact. The system proceeds to Step 3.
Step 3 — Agent-Based Key Replacement (Command FDE_CHANGE_RECOVERY_ADMIN)
The FDE_CHANGE_RECOVERY_ADMIN command is sent to the Swif Agent on the device. This command:
Uses the Swif Admin account password to replace the existing FileVault recovery key with a new one.
Sends the newly generated key information to the server.
The server fetches security info again to confirm and escrow the key.
If this succeeds, the recovery key is stored and displayed.
Step 4 — Desktop App Fallback (Command ASK_FDE)
If Step 3 fails (e.g., the Swif Admin account is locked, or the command returns an error), the ASK_FDE command is sent to the agent:
The Swif Agent opens the Swif Desktop App on the user's machine.
The Desktop App prompts the logged-in user to enter their macOS login password.
If the password is correct, the Desktop App replaces the FileVault key using the user's password.
The new key is sent to the server, the server fetches security info, encrypts the key, and stores it via a Kafka callback.
Step 5 — Daily Retry (Automatic)
If the user closes the Desktop App without entering a password (or if the entire workflow fails), the system will automatically retry the full workflow once every 24 hours. The retry resets the process back to the beginning, starting from Step 3.
Note: The retry is limited to once per day to avoid overwhelming users with repeated prompts. Previous feedback indicated that more frequent prompts were disruptive.
Important Limitation: When the Refresh Button Will NOT Work Immediately
If all three of the following conditions are true simultaneously:
The FileVault recovery key has never been successfully retrieved before.
The Swif Admin account cannot recover itself (e.g., it is locked and has not yet been recreated).
The user closed the Desktop App without entering their password on the first prompt.
Then the system cannot retrieve the recovery key until the next day. The Desktop App will open again after 24 hours for another attempt.
This is not a bug — it is a design constraint due to the complexity of coordinating three components (MDM Server, Agent, and Desktop App).
Why the Swif Admin Account May Become Locked
Swif periodically checks whether the Swif Admin password stored on the server matches the one on the device. In some cases, macOS may detect these authentication attempts as a brute-force attack and automatically lock the account.
When this happens:
The system detects the locked state.
An unlock request is sent. If unsuccessful, the Swif Admin account is deleted and recreated.
Once recreated, the
ASK_FDEandFDE_CHANGE_RECOVERY_ADMINstatuses are reset.On the next daily retry, the workflow starts from the beginning again.
Note: The Refresh button does not directly handle Swif Admin lock detection or recovery. That is managed by a separate automated process. The FDE refresh workflow is specifically for recovery key retrieval.
When Will I See the Recovery Key?
Scenario | Expected Time |
FileVault enabled after Swif enrollment | Key is escrowed immediately via MDM profile — no action needed. |
Agent refresh succeeds (Step 3) | Within a few minutes of clicking Refresh. |
Desktop App prompt succeeds (Step 4) | As soon as the user enters their password. |
User dismissed the Desktop App | Up to 24 hours (next automatic retry). |
Swif Admin locked + user dismissed prompt | Up to 24–48 hours (Swif Admin recovery + next retry cycle). |
BYOD Limitation
Apple's FileVault policy does not support BYOD-enrolled macOS devices. This means the FileVault recovery key cannot be retrieved or refreshed on BYOD devices, regardless of whether Swif Admin is enabled or the agent-based INFORMATION_SECURITY_INFO command is used.
This was confirmed through testing:
FileVault was enabled on the device before enrolling it as BYOD.
The device was enrolled and the
INFORMATION_SECURITY_INFOagent-based security info command was executed.Apple's FileVault Policy returned no recovery key data — BYOD enrollments lack the necessary MDM permissions for recovery key escrow.
Resolution: To enable FileVault recovery key escrow, the device must be re-enrolled as company-owned. BYOD enrollments do not grant Swif (or any MDM solution) the permissions required to escrow or rotate FileVault recovery keys.
Troubleshooting
The recovery key is still missing after clicking Refresh
Possible Cause | Resolution |
FileVault was enabled before Swif enrollment | Apple doesn't share existing keys with MDM. Swif must generate a new one using the workflow above. This is expected. |
Swif Admin account is locked | macOS may have detected authentication checks as suspicious and locked the account. The system automatically deletes and recreates it. Wait for the next daily retry. |
User closed the Desktop App without entering a password | The workflow will retry after 24 hours and the Desktop App will open again. Ask the user to enter their macOS login password when prompted. |
All three failure conditions met simultaneously | The key cannot be retrieved until the next day. No manual intervention is possible — the system will retry automatically. |
Device Live Terminal is disabled | IT cannot review device logs remotely. The automated workflow will continue to retry, but manual troubleshooting is limited. |
Device is enrolled as BYOD | Apple's FileVault policy does not support BYOD enrollments. The recovery key cannot be retrieved regardless of Swif Admin status. Re-enroll the device as company-owned to enable recovery key escrow. |
The Desktop App keeps prompting for a password
This means the agent-based refresh (Step 3) is failing repeatedly, and the system is falling back to the user-assisted method each day. Once the user enters their correct macOS login password, the prompts will stop permanently (for that device).
The Refresh button returned success but the key still doesn't appear
The Refresh button triggers the workflow, but the actual key retrieval is asynchronous. A "success" response means the command was accepted — not that the key was already retrieved. Allow time for the full workflow to complete.
Summary: How FileVault Recovery Key Escrow Works
Scenario | Method | User Action Required? |
FileVault enabled after Swif enrollment | Automatic via MDM profile | No |
FileVault enabled before Swif enrollment — Swif Admin healthy | Agent replaces the key using Swif Admin | No |
FileVault enabled before enrollment — Swif Admin locked/unavailable | Desktop App prompts for user password | Yes — enter macOS password |
All above methods fail on first attempt | Automatic daily retry (resets workflow) | Possibly — Desktop App may prompt again |
BYOD-enrolled macOS device | Not supported — Apple does not grant MDM recovery key permissions for BYOD | N/A — device must be re-enrolled as company-owned |
Frequently Asked Questions
Q: Does refreshing the recovery key change my FileVault password?
No. Refreshing replaces only the recovery key itself. Your login password and FileVault unlock password remain unchanged.
Q: Can I refresh the recovery key remotely?
Yes. Clicking Refresh sends the command remotely. However, if the automatic agent method fails, the end user will need to interact with the Desktop App on the device.
Q: Why can't the system automatically unlock Swif Admin and immediately refresh?
The FDE refresh workflow and the Swif Admin account management are separate processes. Due to the complexity of coordinating the MDM Server, Agent, and Desktop App, the system cannot combine lock detection with immediate FDE key refresh in a single button click. The automated account recovery process handles lock resolution independently.
Q: How often does the system retry if the refresh fails?
Once every 24 hours. This limit was set intentionally based on user feedback to avoid overly aggressive prompting.
Q: What happens when Swif Admin is recreated after being locked?
The system resets the internal ASK_FDE and FDE_CHANGE_RECOVERY_ADMIN statuses. On the next refresh trigger, the workflow starts from the beginning again, giving it a fresh attempt with the new Swif Admin credentials.
Related Resources
FileVault Policy configuration in Policies > macOS > FileVault Policy