In this guide, you’ll learn how to use FileVault disk encryption for macOS with Intune. We’ll explore the different methods with which you can encrypt Mac devices with FileVault and manage recovery keys from the Intune admin center.
Like Windows has Bitlocker, macOS comes with a disk encryption application called FileVault. FileVault provides built-in Full Disk Encryption for macOS devices. Enabling FileVault in Mac adds an additional degree of protection by preventing unauthorized users from decrypting or accessing your files without your login password. You can also enable macOS Firewall with Intune to enhance the security of your devices.
If your organization has enrolled Mac devices in Intune, it is recommended that you use the Intune policy to configure and manage the macOS FileVault instead of allowing users to do so. With Intune, you can deploy policies to enable macOS FileVault disk encryption and then manage recovery keys on devices that run macOS 10.13 or later.
Prerequisites
- To encrypt Mac devices with FileVault via Intune, the devices must be running macOS 10.13 or later. The devices must be online to receive the policies from Intune.
- Intune cannot manage FileVault disk encryption on a macOS device that is already encrypted by a device user unless you apply the FileVault policy through Intune.
Update: After updating your Mac to Sonoma version 14.6, you’ll see a FileVault Disk Encryption window before you sign in. If you’ve already enabled FileVault encryption, you’ll now see this window.
Role-based access controls to manage FileVault
To manage FileVault in Intune, your account must be assigned an Intune role-based access control (RBAC) role that includes the Remote tasks permission with the Rotate FileVault key set to Yes.
You can add this permission to your own custom RBAC roles or use one of the following built-in RBAC roles that include these rights:
- Help Desk Operator
- Endpoint Security Administrator
The global administrator account has full permissions to configure the FileVault in Intune. To manage BitLocker for Windows 10/11, see Manage BitLocker policy.
Ways to enforce FileVault via Intune
With Microsoft Intune, you can use one of the following policy types to configure FileVault on your managed Mac devices:
If you’re wondering which method should be used for configuring FileVault disk encryption for macOS with Intune, the answer is Settings Catalog. The benefit of using the settings catalog policy is that it includes some FileVault settings that aren’t available in the endpoint security and endpoint protection templates. This tutorial covers all of the previously mentioned ways to use Intune to activate the FileVault. You can choose the method that best suits your organization.
Create Device Configuration Policy for macOS FileVault
Perform the following steps to create a new configuration policy for macOS devices to enable FileVault:
- Sign in to the Microsoft Intune admin center.
- Go to Devices > macOS > Configuration.
- On the Policies tab, select Create.
- On the Create a profile page, set the following options, and then select Create:
- Platform: macOS
- Profile type: Templates
- Template name: Endpoint protection
On the Basics page, enter the following:
- Name: Enter a descriptive name for the policy. For example, FileVault for Mac Configuration Policy
- Description: Enter a description for the policy. This setting is optional, but recommended.
Click Next to continue.
On the Configuration Settings page, configure the following settings:
- Enable FileVault: Select Yes to turn on the FileVault.
- Escrow location description of personal recovery key: You can remind users how they can retrieve their stored personal recovery key. The message that you enter here will be visible to users when they try to sign in to their device with the recovery key option on the lock screen, or when they attempt to manually disable and re-enable FileVault.
- Personal recovery key rotation: Specify how frequently in months the personal recovery key for this device will rotate. For example, you can set this duration to 6 months.
Scroll down to configure the additional FileVault options:
- Hide recovery key: Select Yes to hide the personal recovery key that does not appear on the user’s screen during FileVault encryption, reducing the risk of it ending up in the wrong hands.
- Disable prompt at sign out: Select Yes to disable the prompt for the user to enable FileVault when they sign out.
- Number of times allowed to bypass: Set the number of times the user can ignore prompts to enable FileVault before FileVault will be required for the user to sign in. In this example, we have set the value to 3.
Click Next.
On the Assignments page, select macOS groups to receive this profile. Click Next.
On the Review + create page, when you’re done, choose Create. The FileVault profile is displayed in the list of Configuration Profiles for macOS devices.
Create Endpoint Security Policy for macOS FileVault
You can configure FileVault disk encryption for macOS using an endpoint security policy in Intune.
- Sign in to the Microsoft Intune admin center.
- Select Endpoint security > Disk encryption > Create Policy.
- On the Basics page, enter the following properties, and then choose Next.
- Platform: macOS
- Profile: FileVault
On the Basics page, enter the following:
- Name: Enter a descriptive name for the policy. For example, macOS FileVault Endpoint Security Policy
- Description: Enter a description for the policy. This setting is optional, but recommended.
Click Next to continue.
On the Configuration settings page, configure the following:
- Set Enable FileVault to Yes.
- For Recovery key type, choose Personal Recovery Key.
- Set Personal recovery key rotation to 6 months or your own value.
- Escrow location description of personal recovery key: You can remind users how they can retrieve their stored personal recovery key.
- Disable prompt at sign out: Select Yes to disable the prompt for the user to enable FileVault when they sign out.
- Allow deferral until sign out: The default setting for this is yes.
- Hide recovery key: Select Yes to hide the personal recovery key that does not appear on the user’s screen during FileVault encryption, reducing the risk of it ending up in the wrong hands.
Click Next to continue.
Assign the FileVault endpoint security policy to macOS groups. Click Next.
On the Review + Create page, click on Create to deploy macOS FileVault disk encryption security policy in Intune.
Create Settings Catalog Policy for FileVault in Intune
Let’s configure the FileVault on Mac devices using the Intune settings catalog.
In the Intune admin center, go to Devices > macOS > Configuration. Under Policies, select Create > New Policy. Choose the profile type as Settings Catalog and select Create.
Specify the profile name as Configure FileVault for macOS and add a brief description of the policy. Click Next.
On the Configuration settings page, select Add settings to open the settings picker. The FileVault settings are located under the Full-Disk Encryption category. The settings are divided into groups namely:
- FileVault
- FileVault Options
- FileVault Recovery Key Escrow
Click on each of the above categories and choose the FileVault settings that you want to configure. Close the Settings Picker.
To enable FileVault, select and configure the following settings from the Full Disk Encryption category:
- FileVault > Enable: Set to On
- FileVault Recovery Key Escrow > Location: Specify a description of the location where the recovery key is escrowed.
- Prevent FileVault from being disabled: Set to True.
Once you have configured the settings, click Next.
On the Assignments page, select the groups that will receive this profile. Select Next.
On the Review + create page, review all the settings that you have configured, select Create.
Monitor macOS FileVault disk encryption in Intune
After assigning the FileVault encryption policies for Mac devices with Intune, you can monitor the devices that are encrypted. To speed up the policy assignments, you can manually sync your Mac devices with Intune. When Intune first encrypts a macOS device with FileVault, a personal recovery key is created. Upon encryption, the device displays the personal key a single time to the device user.
No matter what method you choose to enable FileVault for Mac in Intune, you can select the policy and the Overview page always shows the macOS devices that are successfully encrypted.
In the screenshot below, you can see that our Mac devices have successfully received the FileVault policy from Intune. In case your Mac device reports error code -2016341107 / 0x87d1138d, it means the end user has not accepted the FileVault prompt to begin encryption.
Verify FileVault Disk Encryption on Mac
Lastly, this step will demonstrate how to determine whether FileVault is enabled on your macOS device. You can manually verify this by logging in to your Mac device. Choose System Settings by clicking the Apple icon in the upper-left corner. On the left pane, select the option Privacy & Security. On the right side, scroll down and look for FileVault. If the FileVault displays as On, it means that the Intune policy has activated it.
In our next guide, we will show you how you can manage recovery keys from the Intune admin center. We will also demonstrate how to rotate the recovery keys on Mac and ways to recover the keys. If you have any questions, please let us know in the comments section below.
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.