Endpoint Services, Jamf Pro, FileVault Disk Encryption

This article provides more information about managing local administrator accounts using Jamf Pro.

Systems

Jamf Pro

Affected Customers

University of Illinois IT Pros leveraging Technology Services Endpoint Services Jamf Pro

Actions

FileVault Disk Encryption

Computers enrolled into Jamf Pro have a global profile applied that enforces FileVault, Apple's built-in disk encryption feature for macOS, designed to protect data on your Mac by encrypting the entire startup disk. When FileVault is enabled, all data on the disk is secured using the AES-XTS data encryption algorithm, making it inaccessible without valid user credentials or a Recovery Key. Jamf Pro securely escrows each Mac’s unique FileVault Recovery Key, allowing IT professionals to retrieve it for authorized decryption or account recovery tasks.

Understanding Secure Tokens and Bootstrap Tokens

Proper management of Secure Tokens and Bootstrap Tokens is essential for successfully enabling FileVault on macOS devices through Jamf Pro. These tokens govern which users can enable FileVault and access encrypted disks.

What Is a Secure Token?

Secure Tokens are cryptographic markers granted to macOS user accounts that allows them to:

  • Enable FileVault full-disk encryption
  • Unlock FileVault-protected volumes at startup
  • Grant Secure Tokens to other users (with administrative rights)

Introduced in macOS 10.13 (High Sierra), Secure Tokens ensure that only authorized users can manage encryption on a Mac.

What Is a Bootstrap Token?

Introduced in macOS 10.15 (Catalina), Bootstrap Tokens are an MDM-only feature that allows macOS to:

  • Automatically grant Secure Tokens to additional user accounts
  • Authorize certain actions (such as FileVault enablement or the installation of software updates) without needing an existing SecureToken holder

Note: Computers must be enrolled via Automated Device Enrollment (ADE) and supervised to support Bootstrap Tokens.

How do Secure Tokens and Bootstrap Tokens Work?

Typically, the first Secure Token is granted to the user account that logs into a Mac first at the login window OR the first user account that is created in Setup Assistant not via MDM (typical for personal computers). When the first Secure Token is granted on a computer, macOS sends a message to the Jamf Pro server asking it to escrow a Bootstrap Token. Once the Bootstrap Token is escrowed in Jamf Pro, macOS can use it to authorize most actions on the system requiring a Secure Token, including granting a Secure Token to other users when they login. This all happens behind the scenes: macOS silently asks Jamf Pro for the Bootstrap Token whenever it’s needed.

Other Considerations for Secure Tokens and Bootstrap Tokens

  • For shared Macs with Apple Silicon: Because managing software updates with an MDM requires a Bootstrap Token, you may want to log in as a user at least once before distributing them to users. That way, a Bootstrap Token will be created and available for use before the first end user logs in.
  • Any scripts or tools that may make or modify local users or change when and how passwords are being set for users can influence whether or not the first Secure Token is granted to the right user, and whether or not a Bootstrap Token is created for the Mac.
  • If you’re programmatically creating users, the profiles command-line tool can be used to generate or remove a Bootstrap Token programmatically.

macOS Login Screens

macOS presents several login-related screens that may appear visually similar. However, each screen serves a distinct purpose and behaves differently, particularly in FileVault-enabled environments. Recognizing their differences is critical for troubleshooting encryption and login issues and understanding the expected user experience. Additional information on macOS login screens can be found in Endpoint Services, Jamf Pro, macOS Login Screens.

Retrieving FileVault Recovery Key in Jamf Pro

To unlock a FileVault-encrypted Mac when the user password is unavailable, retrieve the personal Recovery Key from the Jamf Pro console:

  1. Login to the Jamf Pro server.
  2. Navigate to the computer record of the computer you wish to retrieve the Recovery Key for in Computers → Search Inventory
  3. Within the computer record, on the Inventory tab, select Disk Encryption on the menu.
  4. Locate the Personal Recovery Key field and click the Show Key button.
    Screenshot of Jamf Pro Recovery Key retrieval window
  5. The Show Key button will be replaced with the computer's Recovery Key.
    • It is recommended to copy and paste the personal Recovery Key into a text editor to make it easier to differentiate O's from zeroes.

Decrypt Disk Using Recovery Key (Apple Silicon)

In the event that an IT professional needs to unlock a Mac's disk, they can utilize the FileVault Recovery Key escrowed in Jamf Pro to unlock the disk on Apple silicon Macs running macOS 12.0.1 or later:

  1. Login to the Jamf Pro server.
  2. Retrieve the Mac's FileVault Recovery Key.
  3. Power on the Mac that you wish to unlock the disk on
  4. On the FileVault unlock screen, enter the username of a FileVault enabled user
  5. Press the Option + Shift + Enter keys simultaneously
  6. Enter the FileVault Recovery Key that was retrieved from the Jamf Pro console. Hyphens are automatically applied.
  7. The Mac's disk should unlock and the user login window should display.

Reset User Password Using Recovery Key (Apple Silicon)

In the event that a user has forgotten their password, IT professionals can reset a user's password utilizing the FileVault Recovery Key escrowed in Jamf Pro:

  1. Login to the Jamf Pro server.
  2. Retrieve the Mac's FileVault Recovery Key.
  3. Boot into macOS recovery mode by powering on your Mac and continuing to press and hold the power button until you see the startup options window.
  4. Select the gear icon labeled Options, then click Continue
  5. Click the blue Forgot all passwords? text
  6. Enter the FileVault Recovery Key that was retrieved from the Jamf Pro console. Hyphens are automatically applied.
  7. Click Reset Password
  8. Select the user account whose password you wish to reset and click Next
  9. Enter the user's new password twice and click the Next button
  10. You should see an "Authentication succeeded" message. Click the Apple button → Restart in the top menu bar to restart the computer.
  11. Have the user login using their new password.

Decrypt Disk Using Recovery Key (Intel)

In the event that a user has forgotten their password, IT professionals can reset a user's password utilizing the FileVault Recovery Key escrowed in Jamf Pro:

  1. Login to the Jamf Pro server.
  2. Retrieve the Mac's FileVault Recovery Key.
  3. Power on the Mac that you wish to unlock the disk on
  4. On the FileVault unlock screen, select one of the available FileVault enabled users listed
  5. Click the next to the password field to reveal the If you forget your password, you can ... reset it using your Recovery Key button. Click the button.
  6. Enter the FileVault Recovery Key that was retrieved from the Jamf Pro console and hit the Return key.  Hyphens are automatically applied.
  7. The Mac's disk should unlock and the user login window should display.
  8. Click Cancel on the Reset Password prompt.
  9. Login using an existing user account and password.

Reset User Password Using Recovery Key (Intel)

In the event that a user has forgotten their password, IT professionals can reset a user's password utilizing the FileVault Recovery Key escrowed in Jamf Pro:

  1. Login to the Jamf Pro server.
  2. Retrieve the Mac's FileVault Recovery Key.
  3. Power on the Mac that you wish to unlock the disk on
  4. On the FileVault unlock screen, select one of the available FileVault enabled users listed
  5. Click the next to the password field to reveal the If you forget your password, you can ... reset it using your Recovery Key button. Click the button.
  6. Enter the FileVault Recovery Key that was retrieved from the Jamf Pro console and hit the Return key.  Hyphens are automatically applied.
  7. The Mac's disk should unlock and the user login window should display.
  8. Enter the new user's new password in the Reset Password prompt and click Reset Password.
  9. The user will be logged in.

Identifying FileVault Enabled Users

Jamf Pro tracks all user accounts on a computer that are FileVault enabled, meaning they have a Secure Token and can unlock the disk. To view a list of FileVault enabled users on a computer in the Jamf Pro console:

  1. Login to the Jamf Pro server.
  2. Navigate to the computer record of the computer you wish view the FileVault enabled users for in Computers → Search Inventory
  3. Within the computer record, on the Inventory tab, select Disk Encryption on the menu.
  4. Locate the FileVault 2 Enabled Users field and view the list of FileVault enabled user accounts for the computer.
    Screenshot of Jamf Pro Disk Encryption window with the 'FileVault Enabled Users' field highlighted

    Contact the EPS team


Keywords:
eps mdm endpoint apple TechS-EPS-Jamf jamf pro "Jamf Pro" filevault recovery key encryption secure token bootstrap login reset password decrypt 
Doc ID:
153754
Owned by:
EPS Distribution List G. in University of Illinois Technology Services
Created:
2025-07-24
Updated:
2025-08-25
Sites:
University of Illinois Technology Services