In this guide, you’ll learn how to configure FileVault disk encryption for macOS using Intune. I will demonstrate different methods with which you can encrypt Mac devices with FileVault and manage recovery keys from the Intune admin center.
Like Windows has Bitlocker, macOS comes with a disk encryption application called FileVault. FileVault provides built-in Full Disk Encryption for macOS devices. Enabling FileVault on Mac adds an additional degree of protection by preventing unauthorized users from decrypting or accessing your files without your login password. You can also enable macOS Firewall with Intune to enhance the security of your devices.
If your organization has enrolled Mac devices in Intune, it is recommended that you use the Intune policy to configure and manage the macOS FileVault instead of allowing users to do so. With Intune, you can deploy policies to enable macOS FileVault disk encryption and then manage recovery keys on devices that run macOS 10.13 or later.
Prerequisites
To enable macOS FileVault using Intune, ensure the following prerequisites are met.
- To encrypt Mac devices with FileVault via Intune, the devices must be running macOS 10.13 or later.
- The macOS devices should be enrolled into Intune.
- Mac devices must be online to receive the policies from Intune.
- Intune cannot manage FileVault disk encryption on a macOS device that is already encrypted by a device user unless you apply the FileVault policy through Intune.
Update: After updating your Mac to Sonoma version 14.6, you’ll see a FileVault Disk Encryption window before you sign in. If you’ve already enabled FileVault encryption, you’ll not see this window.
Role-based access controls to manage FileVault
To manage FileVault in Intune, your account must be assigned an Intune role-based access control (RBAC) role that includes the Remote tasks permission with the Rotate FileVault key set to Yes.
You can add this permission to your own custom RBAC roles or use one of the following built-in RBAC roles that include these rights:
- Help Desk Operator
- Endpoint Security Administrator
The global administrator account has full permission to configure the FileVault in Intune. To manage BitLocker for Windows 10/11, see Manage BitLocker policy.
Ways to enforce macOS FileVault via Intune
With Microsoft Intune, you can use any of the following policy types to configure FileVault on your managed Mac devices:
- Endpoint Security policy
- Device Configuration policy
- Settings catalog policy
If you’re wondering which method should be used for configuring FileVault disk encryption, the answer is ‘Settings Catalog.’ Using the settings catalog policy offers the advantage of including specific FileVault settings not found in the endpoint security or endpoint protection templates.
This tutorial explores all the available methods for using Intune to activate FileVault, allowing you to select the approach that best aligns with your organization’s needs.
Method 1: Enable FileVault using Device Configuration Policy
FileVault settings are one of the available settings categories for macOS endpoint protection. Follow the below steps to create a new device configuration policy for enabling FileVault:
- Sign in to the Microsoft Intune admin center.
- Go to Devices > macOS > Configuration.
- On the Policies tab, select Create.
- On the Create a profile page, set the following options, and then select Create:
- Platform: macOS
- Profile type: Templates
- Template name: Endpoint protection
On the Basics page, enter the following:
- Name: Enter a descriptive name for the policy. For example, FileVault for Mac Configuration Policy
- Description: Enter a description for the policy. This setting is optional, but recommended.
Click Next to continue.
On the Configuration Settings page, configure the following settings:
- Enable FileVault: Select Yes to turn on the FileVault.
- Escrow location description of personal recovery key: You can remind users how they can retrieve their stored personal recovery key. The message that you enter here will be visible to users when they try to sign in to their device with the recovery key option on the lock screen, or when they attempt to manually disable and re-enable FileVault.
- Personal recovery key rotation: Specify how frequently in months the personal recovery key for this device will rotate. For example, you can set this duration to 6 months.
Scroll down to configure the additional FileVault options:
- Hide recovery key: Select Yes to hide the personal recovery key that does not appear on the user’s screen during FileVault encryption, reducing the risk of it ending up in the wrong hands.
- Disable prompt at sign out: Select Yes to disable the prompt for the user to enable FileVault when they sign out.
- Number of times allowed to bypass: Set the number of times the user can ignore prompts to enable FileVault before FileVault will be required for the user to sign in. In this example, we have set the value to 3.
Click Next.
On the Assignments page, select macOS groups to receive this profile. Click Next.
On the Review + create page, when you’re done, choose Create. The FileVault profile is displayed in the list of Configuration Profiles for macOS devices.
Method 2: Configure FileVault using Endpoint Security Policy
You can configure FileVault disk encryption for macOS using an endpoint security policy in Intune. Here’s how you create an endpoint security policy for FileVault:
- Sign in to the Microsoft Intune admin center.
- Select Endpoint security > Disk encryption > Create Policy.
- On the Basics page, enter the following properties, and then choose Next.
- Platform: macOS
- Profile: FileVault
On the Basics page, enter the following:
- Name: Enter a descriptive name for the policy. For example, macOS FileVault Endpoint Security Policy
- Description: Enter a description for the policy. This setting is optional, but recommended.
Click Next to continue.
On the Configuration settings page, configure the following:
- Set Enable FileVault to Yes.
- For recovery key type, choose Personal Recovery Key.
- Set Personal recovery key rotation to 6 months or your own value.
- Escrow location description of personal recovery key: You can remind users how they can retrieve their stored personal recovery key.
- Disable prompt at sign out: Select Yes to disable the prompt for the user to enable FileVault when they sign out.
- Allow deferral until sign out: The default setting for this is yes.
- Hide recovery key: Select Yes to hide the personal recovery key that does not appear on the user’s screen during FileVault encryption, reducing the risk of it ending up in the wrong hands.
Click Next to continue.
Assign the FileVault endpoint security policy to macOS groups. Click Next.
On the Review + Create page, click on Create to deploy macOS FileVault disk encryption security policy in Intune.
Method 3: Configure FileVault using Settings Catalog Policy
Let’s configure the FileVault on Mac devices using the Intune settings catalog. In the Intune admin center, go to Devices > macOS > Configuration. Under Policies, select Create > New Policy. Choose the profile type as Settings Catalog and select Create.
Specify the profile name as Configure FileVault for macOS and add a brief description of the policy. Click Next.
On the Configuration settings page, select Add settings to open the settings picker. The FileVault settings are located under the Full-Disk Encryption category. The settings are divided into groups namely:
- FileVault
- FileVault Options
- FileVault Recovery Key Escrow
Click on each of the above categories and choose the FileVault settings that you want to configure. Close the Settings Picker.
To enable FileVault, select and configure the following settings from the Full Disk Encryption category:
- FileVault > Enable: Set to On
- FileVault Recovery Key Escrow > Location: Specify a description of the location where the recovery key is escrowed.
- Prevent FileVault from being disabled: Set to True.
Once you have configured the settings, click Next.
On the Assignments page, select the groups that will receive this profile. Select Next.
On the Review + create page, review all the settings that you have configured, select Create.
Sync Intune Policies on Mac devices
After assigning the FileVault encryption policies for Mac devices with Intune, you can monitor the devices that are encrypted. To speed up the policy assignments, you can sync your Mac devices with Intune. When Intune first encrypts a macOS device with FileVault, a personal recovery key is created. Upon encryption, the device displays the personal key a single time to the device user.
Monitor macOS FileVault disk encryption policy
No matter what method you choose to enable FileVault on macOS using Intune, you can select the policy, and check the Overview page that shows the macOS devices that are successfully encrypted.
In the screenshot below, you can see that my Mac device has successfully received the FileVault policy settings from Intune. In case your Mac device reports error code -2016341107 / 0x87d1138d, it means the end user has not accepted the FileVault prompt to begin encryption.
End-User Experience
Once you have activated the FileVault via Intune policy, the Mac devices will receive the policy settings. Users may have to log off and login or restart their Mac to see the enable FileVault notification message. The following information appears on the screen “Your administrator requires that you enable FileVault“. To proceed, click Enable Now.
You will now see a message that FileVault is being enabled on your Mac device. FileVault encrypts your volume using your login password. This process should take less than a minute to complete.
Verify FileVault Disk Encryption on Mac
In this final step, I will demonstrate how to confirm if FileVault is successfully enabled on your macOS device. You can manually verify this by logging in to your Mac device.
Open System Settings by clicking the Apple icon in the upper-left corner. On the left pane, select the option Privacy & Security. On the right side, scroll down and look for FileVault. If the FileVault displays as On, it means that your Mac disk encryption is successful with FileVault.
