This document will outline how to enable FileVault2 on MacOS Systems that are managed by JAMF Pro.

Requirement: Machine must be bound to Active Directory with "Create mobile account at login" option selected.

Create a Smart/Static Computer Group (optional)

1.  Chose Smart/Static Computer Group and name.


2.  Assign devices or create smart criteria.


Create a Policy to configure client computers.

1.  Under General settings, name policy and configure trigger(s) you wish to use. (You may wish to use Self Service as another alternative)

2.  Configure Disk Encryption options.

Note:  Select "Public - Disk Encryption Configuration" for the Disk Encryption Configuration drop down box.  You do not need to create a new Disk Encryption Configuration.

Use Public Disk Encryption Configuration

3.  Configure Scope for policy. Use either individual computers or one of the groups created in step 2 above.

Key creation and passcode.

1.  Depending on the state of the hidden Recovery partition on the Mac the machine may reboot one or more times during the preparation for FileVault2.

2.  The user will get notification that the drive is to be encrypted.


3.  The user may cancel the request but will get prompted again. Once they choose to enable encryption the process will begin.


4.  Depending on the size of the drive, amount of data, and speed of the machine it may take several hours for the encryption process to take place. The user should be able to use the machine in normal fashion during the process with little notice of impact.

5.  Once the machine has been encrypted the user will need to put in a password to decrypt the machine in order to use it.


6.  If the decryption password is not typed within 15 minutes the computer will power itself off.

Special Notes:

During encryption the Macintosh will no longer check into the JSS for policies. Once the user decrypts the machine check-in and policies will resume as normal.
Initially only the user configured to encrypt the machine will be able to decrypt it. An additional policy can be created to add users to a FileVault2 enabled computer.

Computers which have FileVault2 configured through JAMF Pro will have the recovery key stored within the JSS. Site Admins can access this key to decrypt a locked machine

Article number: 
Last updated: 
January 29, 2019