Disclaimer: This blog is not intended to be advice on how to manage your environment. As the name suggests, these accounts are based on experiences I’ve had in my own lab. Always approach information you find outside (or inside for that matter) official documentation with skepticism and follow the golden rule: Never test in production.
This post is going to be fairly straightforward as I just wanted to document the full process so my customers can see it from both sides. Please refer to Intune for MacOS and How It’s Different for more information on how FileVault in Intune is managed. Do note that these screenshots may be outdated and are subject to change due to the nature of Microsoft’s ever-changing interface.
- Create a new Configuration Profile for MacOS and set Enable FileVault to Yes. Configure your organization’s security requirements and assign it to the appropriate groups. It is also worth noting that this profile will report as a failure until the user restarts and the disk is actually encrypted.
- Once deployed, FileVault will begin to encrypt after the next restart. The user will be prompted to enter their password to enable and present their device’s recovery key. If this is a User Enrolled (non-ADE) the user will need to write this key down to tell Intune what it is. If the device is automatically enrolled you can skip to step #8 as it will upload the key to Intune automatically. They will not see this key again unless the disk is unencrypted and FileVault is re-enabled.
- Direct the user to navigate to https://portal.manage.microsoft.com, click the hamburger menu in the upper left corner, and click Devices.
- Click on the FileVault encrypted device.
- Scroll down to the bottom and click Store Recovery Key.
- Enter the FileVault Key provided during encryption and click save.
- It will take a few moments for the key update to process. When finished, the status will change to complete.
- The user will then be able to acquire the key from the same portal by clicking Get Recovery Key.
If the device is marked as Personally Owned in Intune, we will not be able to see the key from the Endpoint Portal.
If the device is marked as Company Owned, we will be able to see the Recovery Key.