Enable file vault by profile manager with IRK (Institutional Recovery Key) - El Capitan

Labels:
It is really very easy to enable file vault on profile manager so your all connected devices will get these policies and enable fie vault by default.

I am going to explain each and every step to enable file vault by profile manager and its deployment process on enrolled devices.


1. Set Master Password
  • Open System Preferences -> Users and groups
  • If it is locked, then unlock it.
  • Click on services (Gear) button -> Select "Set master password".
  • Set the password whatever you want but keep something known in its hint so you can recall the password if something goes bad.
This process will create below mentioned files.

/Library/Keychains/FileVaultMaster.cer
/Library/Keychains/FileVaultMaster.keychain

2. Unlock filevault keychain

Launch Terminal and run below mentioned command.
Sudo security unlock-keychain /library/keychains/filevaultmaster.keychain

3. Load filevault keychain
  • Once keychain is unlock.
  • Go to /Library/Keychains/
  • You will find "FileVaultMaster.keychain". Double click on it.
  • Now you will see "FilevaultMaster" in right side of Keychain Access.
4. Make file vault certificate trusted.
  • In Keychain Access, under FilevaultMaster you will find filevault certificate and its key.
  • Double click on the certificate.
  • Click the carrot next to trust and select when using this certificate drop down and choose Always Trust.
5. Export file vault certificate trusted.
  • After make it trusted certificate.
  • Go to login Keychain > Certificates.
  • Select File Vault certificate > Right click on it > Export > Save it in .cer extension.
So at this situation, we have set the master password, loaded filevault keychain and export filevault certificate. So we will make some configuration on server.app.

6. Configure Filevault on profile manager.
  • Load server.app and open profile manager.
  • Navigate to Device or Device groups -> Go to settings -> Click Edit.
  • Click on "Certificates" under OS X and iOS then import file vault certificate which we exported in Step 5.
  • Now, Click on "Security & Privacy" under OS X and iOS > Click on File Vault > Check "Require File Vault". Select "Use an Institutional recovery key" and select "FileVault Recovery Key" under certificates.
  • Click Save and you are done. Lets get it pushed it on your device (Macbook or macmini).
7. Enable it on your system.
After get all settings on your system, you just need to reboot it. And it will ask to enable File Vault with your password.
Posted by at Wednesday, December 30, 2015

5 comments:

  1. Anonymous31 March 2016 at 16:54

    Thank you very much!
    Was a great help for me

    ReplyDelete
  2. Unknown11 May 2016 at 08:20

    Thank you so much.

    Its really helpful to understand the Scenario of FileVault.

    ReplyDelete
  3. Ashish Gupta19 May 2016 at 14:43

    Thank you

    ReplyDelete
  4. Anonymous4 January 2017 at 22:55

    THANK YOU!!!

    I was getting the message: "there was a problem enabling filevault on your computer", I think thats its because the certifcate was missing... Worked!

    ReplyDelete
  5. Ashish Gupta5 January 2017 at 12:52

    I am happy that you liked it and it solved your problem.

    ReplyDelete

Subscribe to: Post Comments (Atom)