Enable FileVault through Scripting ?!!

massoo · Aug 2, 2023

Hello,

We are trying to make sure that every MAC that we have is encrypted, however we dont have any commercial MDM solution. We have a bunch of devices registered in Apple Business Manager (ABM).

I would like to understand is there any way either through scripting / mobileconfig / etc. to do:

1. Enforce Full Disk Encryption with File Vault for all users using PRK (Personal Recovery Keys)
2. Upload PRK's to a folder in Google Drive for safe-keeping (I already do this for my Windows Devices) or recovery codes

bogdanw · Aug 2, 2023

Apple:
"FDEFileVault- The payload for configuring FileVault."
https://developer.apple.com/documentation/devicemanagement/fdefilevault
"FileVault MDM payload settings for Apple devices"
https://support.apple.com/guide/deployment/dep32bf53500/web

iMazing Profile Editor https://apps.apple.com/app/imazing-profile-editor/id1487860882
ProfileCreator https://github.com/ProfileCreator/ProfileCreator

massoo · Aug 3, 2023

Can these payloads be imported without MDM ?

bogdanw · Aug 3, 2023

Yes.
If you use iMazing, you will notice that values that require MDM enrollment are marked with “Supervised only”. In Apple’s documentation they appear with “Requires a supervised device.”
The FileVault 2 payload doesn’t have such values.

adrianlondon · Aug 3, 2023

Should be scriptable.

See if fdesetup does what you need. ($ man fdesetup)

massoo · Aug 3, 2023

Thank you for the replies, I tried to create and import but did not work ... does anyone has a working sample that can be imported through script or terminal ?

Search

Search

Enable FileVault through Scripting ?!!

massoo

macrumors newbie

bogdanw

macrumors 604

massoo

macrumors newbie

bogdanw

macrumors 604

adrianlondon

macrumors 603

massoo

macrumors newbie

Our Staff