The payload that configures FileVault.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
Enable Enable Set to `On` to enable FileVault and set to `Off` to disable FileVault. Payloads set to `On` sent through MDM need to either include full authentication information in the payload or have the `Defer` option set to `true`. When `Defer` is `true`, the system prompts for the authentication information when the user enables FileVault. | string | required | — | ✓Yes | macOS (10.9+) |
Defer Defer If `true`, the system defers enabling FileVault until the designated user logs out. For details, see `fdesetup(8)`. Only a local user or a mobile account user can enable FileVault. | boolean | optional | false | ✓Yes | macOS (10.9+) |
UserEntersMissingInfo UserEntersMissingInfo If `true`, the system enables a prompt for missing user name or password fields. | boolean | optional | false | ✓Yes | macOS (10.9+) |
UseRecoveryKey UseRecoveryKey If `true`, the system creates a personal recovery key and displays it to the user. | boolean | optional | true | ✓Yes | macOS (10.9+) |
ShowRecoveryKey ShowRecoveryKey If `false`, the system prevents display of the personal recovery key to the user after the system enables FileVault. | boolean | optional | true | ✓Yes | macOS (10.9+) |
OutputPath OutputPath The path to the location of the recovery key and computer information property list. | string | optional | — | ✓Yes | macOS (10.9+) |
Certificate Certificate The DER-encoded certificate data if the system creates an institutional recovery key. This key isn't supported on a Mac with Apple silicon. | data | optional | — | ✓Yes | macOS (10.9+) |
PayloadCertificateUUID PayloadCertificateUUID The UUID of the payload within the same profile containing the asymmetric recovery key certificate payload. | string | optional | — | ✓Yes | macOS (10.9+) |
Username Username The user name of the Open Directory user to add to FileVault. | string | optional | — | ✓Yes | macOS (10.9+) |
Password Password The password of the Open Directory user to add to FileVault. Use the `UserEntersMissingInfo` key to prompt for this information. | string | optional | — | ✓Yes | macOS (10.9+) |
UseKeychain UseKeychain If `true` and you don't include certificate information in this payload, the system uses the keychain created at `/Library/Keychains/FileVaultMaster.keychain` when it adds the institutional recovery key. | boolean | optional | false | ✓Yes | macOS (10.9+) |
DeferForceAtUserLoginMaxBypassAttempts DeferForceAtUserLoginMaxBypassAttempts The maximum number of times users can bypass enabling FileVault before the system requires the user to enable it to log in. If the value is `0`, the system requires the user to enable FileVault the next time they attempt to log in. Set this key to `-1` to disable this feature. Range: -1 - 9999 | integer | optional | — | ✓Yes | macOS (10.9+) |
DeferDontAskAtUserLogout DeferDontAskAtUserLogout If `true`, the system prevents requests to enable FileVault at user logout time. | boolean | optional | false | ✓Yes | macOS (10.10+) |
ForceEnableInSetupAssistant ForceEnableInSetupAssistant If `true`, and installation of this payload occurs after enrolling with MDM in Setup Assistant, the system requests Setup Assistant to enable FileVault at setup time.
To use this, enable the Await Device Configured DEP configuration option and send this profile with this key set, before sending the `DeviceConfiguredCommand`.
An admin SecureToken user is required, otherwise the FileVault pane does not appear. | boolean | optional | false | ✗No | macOS (14.0+) |
