macOS FileVault Encryption Policy — Admin Guide
Secure every Mac’s startup disk with Apple’s native, hardware-accelerated encryption while keeping recovery keys at your fingertips in Swif.
1. What the FileVault policy does
Goal | How the policy helps |
Full-disk encryption at scale | Enables FileVault automatically once the Mac checks in. |
Key escrow & rotation | Escrows the personal recovery key (PRK) to Swif, rotates it on demand, and surfaces it to authorised admins only. |
Tamper protection | Blocks users from turning FileVault off or bypassing the enable-prompt beyond an admin-set grace period. |
Audit evidence | Streams encryption status and key-escrow proof to Swif Compliance Center / Drata integration. |
Minimum macOS version: 10.9 (Mavericks).
2. Creating the policy in Swif
Device Management → Policies → New Policy.
In the catalogue, choose Apple FileVault Policy → Configure.
Complete the Basic Configurations panel as shown below, then Continue to scope and publish.
Setting | Options | What it does |
Maximum number of times FileVault can be skipped | Integer | How many logins a user may click “Enable Later” before encryption is forced at sign-in. |
Encryption Enable |
| Toggles FileVault. Set True for almost every deployment. |
Prevent Disabling FileVault |
| If True, System Settings › Privacy & Security hides the Turn Off button. |
Prevent Enabling FileVault | Rarely used; lock FileVault off for special-purpose Macs. |
|
Recovery Key Escrow |
| True escrows the PRK to Swif’s encrypted vault (recommended). |
Show Recovery Key |
| Controls whether macOS shows the PRK to the user after encryption is activated. |
(All Boolean pick-lists also support Null = leave device default unchanged.)
3. Roll-out workflow
Phase | What happens on the Mac |
Policy installed | Swif pushes an Enable FileVault MDM command. |
Pre-encryption login | User sees Apple’s FileVault prompt. If “Skip” is chosen, Swif starts countdown based on Maximum skips. |
Encryption starts | macOS reboots, begins XTS-AES encryption in the background (CPU off-loading to T2/Apple Silicon). |
Key escrow | On the first post-reboot check-in, the PRK is sent over APNS to Swif and stored (SHA-256 hashed at rest). |
Compliance | Device shows Encrypted in Device Inventory → Security; evidence is synced to Drata/Secureframe hourly. |
4. Where to see a Mac’s FileVault Recovery Key (and what happens if it’s missing)
Once your FileVault Encryption Policy is active, Swif automatically tries to escrow the Personal Recovery Key (PRK) from every Mac:
Location | What you’ll see |
Device Inventory → Mac → Security tab → “Recovery key”  | • ••••••• (masked) – click the eye icon to reveal if you have permission.• — (dash) – Swif could not escrow a key for this Mac (see below). |
If you have any questions about the importance of the FileVault recovery key, you can read it here.
5. Why a key might be missing
If FileVault was turned on before Swif was installed, macOS keeps the key local and never shares it. To close the gap, Swif prompts the device owner to regenerate and escrow a fresh key.
End-user experience | Admin result |
A Swif Desktop notification appears: “Please regenerate FileVault Recovery Key”. The user types their Mac login password and clicks Generate.  | A new PRK is issued, sent securely to Swif, and the Recovery key field now shows ••••••• in the Security tab. |
Tip: The prompt reappears every 8 hours until the user completes the flow, or until an admin rotates the key remotely.
Keep this in mind when rolling out FileVault to already-encrypted fleets: the key-regeneration prompt is essential for full compliance evidence.
6. At-a-glance workflow
Policy installs ➜ Swif asks macOS for the current PRK.
Success ➜ Key escrows, visible in the portal.
Fail (key unavailable) ➜ End-user prompt to regenerate.
User submits password ➜ macOS issues a new PRK, Swif escrows it.
Admins can now reveal, rotate, or export the key as usual.
7. Best-practice checklist
Escrow enabled – otherwise you’ll lose keys on employee off-boarding.
Zero skips in high-risk groups (finance, exec) by setting Maximum skips = 0.
Prevent disabling to stop savvy users from running
fdesetup disable.Pair with the Apple Password Policy to enforce strong login passwords (FileVault uses the same secret).
Add a Compliance Control that flags FileVault = false → auto-remediate with Swif’s Playbooks.
FAQ
Question | Answer |
Does FileVault hurt performance? | No measurable impact on Apple Silicon or T2 Macs; encryption is hardware-accelerated. |
What if a Mac was already encrypted manually? | Policy still escrows the existing PRK on the next check-in. |
Can I store keys in my KMS? | Coming soon via customer-managed vault integration; track on Swif Roadmap. |
Troubleshoot:
Swif Policy glossary – see All Apple policies article for context.