macOS FileVault Encryption

Why this risk matters

FileVault encrypts the entire macOS startup disk using AES-XTS 128-bit encryption. Without it, anyone with physical access to a Mac — whether through theft, loss, or an insider — can boot from an external drive or enter Recovery Mode and read every file on the disk without needing the user's password.

Laptops are the most commonly lost or stolen corporate device. In regulated industries (healthcare, finance, legal) an unencrypted lost laptop containing customer or patient data constitutes a reportable breach under GDPR, HIPAA, and similar frameworks. Even outside regulated sectors, the reputational and legal cost of disclosing a laptop theft is significant when encryption would have eliminated the exposure entirely.

FileVault enforcement via MDM also enables recovery key escrow — meaning if a user forgets their password or a device is inherited from a departing employee, IT can unlock the device without data loss. Without MDM enforcement, recovery keys are often unknown or lost entirely.

What happens if this is abused

Without FileVault enabled, a lost or stolen Mac creates immediate data exposure risk:

  • An attacker with physical access can boot from an external drive or use macOS Recovery Mode to access the entire disk contents without the user's login password.
  • All locally stored files, browser profiles, cached credentials, corporate documents, and emails become readable in plain text without any authentication.
  • A departing employee or malicious insider can access another user's data on a shared Mac simply by booting from external media.
  • Loss of an unencrypted laptop containing personal data (customer records, HR files, financial data) constitutes a notifiable breach under GDPR, with potential fines and mandatory regulatory disclosure.
  • Without recovery key escrow, IT has no way to access encrypted data on a device where the user has left the organisation or forgotten their password, potentially resulting in permanent data loss.

When this is expected or acceptable

FileVault is expected on all managed Mac laptops. There are only a few narrow exceptions where this finding requires less urgent remediation.

  • Desktop Macs in physically secured, access-controlled rooms have reduced physical theft risk. Encryption is still recommended but may be lower priority than laptops.
  • If FileVault is managed and enforced via Intune or Jamf with recovery keys escrowed to the MDM, this finding may reflect a reporting lag rather than a real gap. Confirm MDM enforcement status before escalating.
  • During initial device setup there is a brief window before FileVault completes its first encryption pass. This is expected if the device has not yet left IT's hands.
  • Virtual Macs (e.g., Apple Silicon VMs) may have disk encryption handled at the hypervisor layer. Confirm whether full-disk encryption is applied at the VM host level before treating this as a gap.

Checks to perform before taking action

Before enforcing FileVault or escalating to the device owner:

  • Is this a laptop or a desktop? Laptops have significantly higher physical theft risk and should be prioritised.
  • Is the Mac enrolled in Jamf or Intune? Check whether a FileVault enforcement policy has been applied and whether the recovery key has been escrowed. A missing escrow key is itself a reportable finding even if encryption is enabled.
  • When was this device last seen online? Decommissioned or long-offline devices should be noted separately and not block remediation of active machines.
  • What role does the device owner hold? Devices used by finance, HR, legal, or engineering staff handling sensitive data should be treated as higher priority.
  • Has the user been notified previously? Check whether there is an existing IT ticket or grace period notification already in progress for this device.

Safe remediation steps

Enforce FileVault encryption on managed Macs via Intune or Jamf:

  1. Check current encryption status — in Intune, navigate to Devices → macOS → Encryption report. Identify Macs where FileVault is not enabled or where the recovery key has not been escrowed.
  2. Create a FileVault policy in Intune — go to Endpoint Security → Disk Encryption → Create Policy. Select macOS and choose FileVault as the profile type. Set: Require FileVault = Yes, Recovery key rotation = 1 rotation, Escrow location description = IT helpdesk, Hide recovery key = Yes (prevents users from copying and losing the key).
  3. Enable deferred enablement — set Defer to Yes. This prompts the user to enable FileVault at their next login rather than forcing an immediate restart, reducing disruption. Set the number of times deferral can be bypassed to a low number (e.g. 3) to prevent indefinite avoidance.
  4. Pilot on a small group — assign the policy to 10–20 devices first. Verify that recovery keys appear in Intune under the device's Encryption Key. Confirm users receive a clear prompt at next login.
  5. Roll out to all Mac devices — assign the policy to your full macOS device group. Initial encryption of an existing disk takes 30–90 minutes in the background and does not interrupt usage.
  6. Add a compliance condition — in Intune Compliance for macOS, add the condition: FileVault = Require. Non-compliant devices will be flagged and can be blocked from corporate resources via Conditional Access if desired.
  7. For Jamf-managed fleets — use the Jamf Pro built-in FileVault enablement policy with institutional recovery key escrow, or connect Jamf to Intune via the connector to leverage Intune compliance reporting.

How Overe Helps

Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:

  • MacOS Disk Encryption FileVault — Ensures Mac data remains unreadable if a device is lost or stolen, with recovery keys safely escrowed in Intune.
  • MacOS Device Health — Protects Mac devices from OS-level tampering and rootkit attacks by ensuring the system kernel cannot be modified.
  • MacOS Device Security — Ensures Mac data is encrypted at rest, network access is restricted, and only trusted software can run on the device.

Related risks and follow-on checks

After reviewing FileVault encryption status, also check these related risk areas:

  • Windows BitLocker Encryption — the equivalent disk encryption control for Windows devices; if FileVault gaps exist, BitLocker coverage is worth reviewing at the same time.
  • Devices Overview — stale or unmanaged devices are less likely to have MDM-enforced encryption policies applied.
  • Intune Policy Coverage Gaps — if encryption policies are not uniformly applied across the fleet, this is where the coverage gaps will be visible.
  • macOS Firewall and Gatekeeper — complementary Mac hardening controls that are typically enforced via the same MDM profiles as FileVault.
Free Microsoft 365 assessment

Check this risk in your own tenant

This recommendation explains what should be configured. Overe shows you where the gaps actually exist.

Find risky users, devices, apps, policies and tenant settings in minutes.

No agents. No heavy setup. Clear results in minutes.