Endpoint Services, Jamf Pro, FileVault Disk Encryption
Systems
Jamf Pro
Affected Customers
University of Illinois IT Pros leveraging Technology Services Endpoint Services Jamf Pro
Actions
- FileVault Disk Encryption
- Understanding Secure Tokens and Bootstrap Tokens
- macOS Login Screens
- Retrieving FileVault Recovery Key in Jamf Pro
- Decrypt Disk Using Recovery Key (Apple Silicon)
- Reset User Password Using Recovery Key (Apple Silicon)
- Decrypt Disk Using Recovery Key (Intel)
- Reset User Password Using Recovery Key (Intel)
- Identifying FileVault Enabled Users
FileVault Disk Encryption
Computers enrolled into Jamf Pro have a global profile applied that enforces FileVault, Apple's built-in disk encryption feature for macOS, designed to protect data on your Mac by encrypting the entire startup disk. When FileVault is enabled, all data on the disk is secured using the AES-XTS data encryption algorithm, making it inaccessible without valid user credentials or a Recovery Key. Jamf Pro securely escrows each Mac’s unique FileVault Recovery Key, allowing IT professionals to retrieve it for authorized decryption or account recovery tasks.
Understanding Secure Tokens and Bootstrap Tokens
Proper management of Secure Tokens and Bootstrap Tokens is essential for successfully enabling FileVault on macOS devices through Jamf Pro. These tokens govern which users can enable FileVault and access encrypted disks.
What Is a Secure Token?
Secure Tokens are cryptographic markers granted to macOS user accounts that allows them to:
- Enable FileVault full-disk encryption
- Unlock FileVault-protected volumes at startup
- Grant Secure Tokens to other users (with administrative rights)
Introduced in macOS 10.13 (High Sierra), Secure Tokens ensure that only authorized users can manage encryption on a Mac.
What Is a Bootstrap Token?
Introduced in macOS 10.15 (Catalina), Bootstrap Tokens are an MDM-only feature that allows macOS to:
- Automatically grant Secure Tokens to additional user accounts
- Authorize certain actions (such as FileVault enablement or the installation of software updates) without needing an existing SecureToken holder
Note: Computers must be enrolled via Automated Device Enrollment (ADE) and supervised to support Bootstrap Tokens.
How do Secure Tokens and Bootstrap Tokens Work?
Typically, the first Secure Token is granted to the user account that logs into a Mac first at the login window OR the first user account that is created in Setup Assistant not via MDM (typical for personal computers). When the first Secure Token is granted on a computer, macOS sends a message to the Jamf Pro server asking it to escrow a Bootstrap Token. Once the Bootstrap Token is escrowed in Jamf Pro, macOS can use it to authorize most actions on the system requiring a Secure Token, including granting a Secure Token to other users when they login. This all happens behind the scenes: macOS silently asks Jamf Pro for the Bootstrap Token whenever it’s needed.
Other Considerations for Secure Tokens and Bootstrap Tokens
- For shared Macs with Apple Silicon: Because managing software updates with an MDM requires a Bootstrap Token, you may want to log in as a user at least once before distributing them to users. That way, a Bootstrap Token will be created and available for use before the first end user logs in.
- Any scripts or tools that may make or modify local users or change when and how passwords are being set for users can influence whether or not the first Secure Token is granted to the right user, and whether or not a Bootstrap Token is created for the Mac.
- If you’re programmatically creating users, the
profiles
command-line tool can be used to generate or remove a Bootstrap Token programmatically.
macOS Login Screens
macOS presents several login-related screens that may appear visually similar. However, each screen serves a distinct purpose and behaves differently, particularly in FileVault-enabled environments. Recognizing their differences is critical for troubleshooting encryption and login issues and understanding the expected user experience. Additional information on macOS login screens can be found in Endpoint Services, Jamf Pro, macOS Login Screens.
Retrieving FileVault Recovery Key in Jamf Pro
To unlock a FileVault-encrypted Mac when the user password is unavailable, retrieve the personal Recovery Key from the Jamf Pro console:
- Login to the Jamf Pro server.
- Navigate to the computer record of the computer you wish to retrieve the Recovery Key for in Computers → Search Inventory
- Within the computer record, on the Inventory tab, select Disk Encryption on the menu.
- Locate the Personal Recovery Key field and click the Show Key button.
- The Show Key button will be replaced with the computer's Recovery Key.
- It is recommended to copy and paste the personal Recovery Key into a text editor to make it easier to differentiate O's from zeroes.
Decrypt Disk Using Recovery Key (Apple Silicon)
In the event that an IT professional needs to unlock a Mac's disk, they can utilize the FileVault Recovery Key escrowed in Jamf Pro to unlock the disk on Apple silicon Macs running macOS 12.0.1 or later:
- Login to the Jamf Pro server.
- Retrieve the Mac's FileVault Recovery Key.
- Power on the Mac that you wish to unlock the disk on
- On the FileVault unlock screen, enter the username of a FileVault enabled user
- Press the Option + Shift + Enter keys simultaneously
- Enter the FileVault Recovery Key that was retrieved from the Jamf Pro console. Hyphens are automatically applied.
- The Mac's disk should unlock and the user login window should display.
Reset User Password Using Recovery Key (Apple Silicon)
In the event that a user has forgotten their password, IT professionals can reset a user's password utilizing the FileVault Recovery Key escrowed in Jamf Pro:
- Login to the Jamf Pro server.
- Retrieve the Mac's FileVault Recovery Key.
- Boot into macOS recovery mode by powering on your Mac and continuing to press and hold the power button until you see the startup options window.
- Select the gear icon labeled Options, then click Continue
- Click the blue Forgot all passwords? text
- Enter the FileVault Recovery Key that was retrieved from the Jamf Pro console. Hyphens are automatically applied.
- Click Reset Password
- Select the user account whose password you wish to reset and click Next
- Enter the user's new password twice and click the Next button
- You should see an "Authentication succeeded" message. Click the Apple button → Restart in the top menu bar to restart the computer.
- Have the user login using their new password.
Decrypt Disk Using Recovery Key (Intel)
In the event that a user has forgotten their password, IT professionals can reset a user's password utilizing the FileVault Recovery Key escrowed in Jamf Pro:
- Login to the Jamf Pro server.
- Retrieve the Mac's FileVault Recovery Key.
- Power on the Mac that you wish to unlock the disk on
- On the FileVault unlock screen, select one of the available FileVault enabled users listed
- Click the next to the password field to reveal the If you forget your password, you can ... reset it using your Recovery Key button. Click the button.
- Enter the FileVault Recovery Key that was retrieved from the Jamf Pro console and hit the Return key. Hyphens are automatically applied.
- The Mac's disk should unlock and the user login window should display.
- Click Cancel on the Reset Password prompt.
- Login using an existing user account and password.
Reset User Password Using Recovery Key (Intel)
In the event that a user has forgotten their password, IT professionals can reset a user's password utilizing the FileVault Recovery Key escrowed in Jamf Pro:
- Login to the Jamf Pro server.
- Retrieve the Mac's FileVault Recovery Key.
- Power on the Mac that you wish to unlock the disk on
- On the FileVault unlock screen, select one of the available FileVault enabled users listed
- Click the next to the password field to reveal the If you forget your password, you can ... reset it using your Recovery Key button. Click the button.
- Enter the FileVault Recovery Key that was retrieved from the Jamf Pro console and hit the Return key. Hyphens are automatically applied.
- The Mac's disk should unlock and the user login window should display.
- Enter the new user's new password in the Reset Password prompt and click Reset Password.
- The user will be logged in.
Identifying FileVault Enabled Users
Jamf Pro tracks all user accounts on a computer that are FileVault enabled, meaning they have a Secure Token and can unlock the disk. To view a list of FileVault enabled users on a computer in the Jamf Pro console:
- Login to the Jamf Pro server.
- Navigate to the computer record of the computer you wish view the FileVault enabled users for in Computers → Search Inventory
- Within the computer record, on the Inventory tab, select Disk Encryption on the menu.
- Locate the FileVault 2 Enabled Users field and view the list of FileVault enabled user accounts for the computer.