Skip to main content

macOS FileVault Encryption Policy

Updated today

macOS FileVault Encryption Policy — Admin Guide

Secure every Mac’s startup disk with Apple’s native, hardware-accelerated encryption while keeping recovery keys at your fingertips in Swif.


1. What the FileVault policy does

Goal

How the policy helps

Full-disk encryption at scale

Enables FileVault automatically once the Mac checks in.

Key escrow & rotation

Escrows the personal recovery key (PRK) to Swif, rotates it on demand, and surfaces it to authorised admins only.

Tamper protection

Blocks users from turning FileVault off or bypassing the enable-prompt beyond an admin-set grace period.

Audit evidence

Streams encryption status and key-escrow proof to Swif Compliance Center / Drata integration.

Minimum macOS version: 10.9 (Mavericks).


2. Creating the policy in Swif

  1. Device Management → Policies → New Policy.

  2. In the catalogue, choose Apple FileVault Policy → Configure.

  3. Complete the Basic Configurations panel as shown below, then Continue to scope and publish.

Setting

Options

What it does

Maximum number of times FileVault can be skipped

Integer 1–9999 (leave blank = users may skip indefinitely; set 0 = disable skip)

How many logins a user may click “Enable Later” before encryption is forced at sign-in.

Encryption Enable

True / False / Null

Toggles FileVault. Set True for almost every deployment.

Prevent Disabling FileVault

True / False

If True, System Settings › Privacy & Security hides the Turn Off button.

Prevent Enabling FileVault

Rarely used; lock FileVault off for special-purpose Macs.

Recovery Key Escrow

True / False

True escrows the PRK to Swif’s encrypted vault (recommended).

Show Recovery Key

True / False

Controls whether macOS shows the PRK to the user after encryption is activated.

(All Boolean pick-lists also support Null = leave device default unchanged.)


3. Roll-out workflow

Phase

What happens on the Mac

Policy installed

Swif pushes an Enable FileVault MDM command.

Pre-encryption login

User sees Apple’s FileVault prompt. If “Skip” is chosen, Swif starts countdown based on Maximum skips.

Encryption starts

macOS reboots, begins XTS-AES encryption in the background (CPU off-loading to T2/Apple Silicon).

Key escrow

On the first post-reboot check-in, the PRK is sent over APNS to Swif and stored (SHA-256 hashed at rest).

Compliance

Device shows Encrypted in Device Inventory → Security; evidence is synced to Drata/Secureframe hourly.


4. Where to see a Mac’s FileVault Recovery Key (and what happens if it’s missing)

Once your FileVault Encryption Policy is active, Swif automatically tries to escrow the Personal Recovery Key (PRK) from every Mac:

Location

What you’ll see

Device Inventory → Mac → Security tab → “Recovery key”

••••••• (masked) – click the eye icon to reveal if you have permission.• (dash) – Swif could not escrow a key for this Mac (see below).

If you have any questions about the importance of the FileVault recovery key, you can read it here.


5. Why a key might be missing

If FileVault was turned on before Swif was installed, macOS keeps the key local and never shares it. To close the gap, Swif prompts the device owner to regenerate and escrow a fresh key.

End-user experience

Admin result

A Swif Desktop notification appears: “Please regenerate FileVault Recovery Key”. The user types their Mac login password and clicks Generate.

A new PRK is issued, sent securely to Swif, and the Recovery key field now shows ••••••• in the Security tab.

Tip: The prompt reappears every 8 hours until the user completes the flow, or until an admin rotates the key remotely.

Keep this in mind when rolling out FileVault to already-encrypted fleets: the key-regeneration prompt is essential for full compliance evidence.


6. At-a-glance workflow

  1. Policy installs ➜ Swif asks macOS for the current PRK.

  2. Success ➜ Key escrows, visible in the portal.

  3. Fail (key unavailable) ➜ End-user prompt to regenerate.

  4. User submits password ➜ macOS issues a new PRK, Swif escrows it.

  5. Admins can now reveal, rotate, or export the key as usual.


7. Best-practice checklist

  1. Escrow enabled – otherwise you’ll lose keys on employee off-boarding.

  2. Zero skips in high-risk groups (finance, exec) by setting Maximum skips = 0.

  3. Prevent disabling to stop savvy users from running fdesetup disable.

  4. Pair with the Apple Password Policy to enforce strong login passwords (FileVault uses the same secret).

  5. Add a Compliance Control that flags FileVault = false → auto-remediate with Swif’s Playbooks.


FAQ

Question

Answer

Does FileVault hurt performance?

No measurable impact on Apple Silicon or T2 Macs; encryption is hardware-accelerated.

What if a Mac was already encrypted manually?

Policy still escrows the existing PRK on the next check-in.

Can I store keys in my KMS?

Coming soon via customer-managed vault integration; track on Swif Roadmap.

Troubleshoot:

Swif Policy glossary – see All Apple policies article for context.

Did this answer your question?