macOS FileVault Encryption

FileVault encrypts the entire macOS startup disk using AES-XTS 128-bit encryption. Without it, anyone with physical access to a Mac — whether through theft, loss, or an insider — can boot from an external drive or enter Recovery Mode and read every file on the disk without needing the user's password.

Laptops are the most commonly lost or stolen corporate device. In regulated industries (healthcare, finance, legal) an unencrypted lost laptop containing customer or patient data constitutes a reportable breach under GDPR, HIPAA, and similar frameworks. Even outside regulated sectors, the reputational and legal cost of disclosing a laptop theft is significant when encryption would have eliminated the exposure entirely.

FileVault enforcement via MDM also enables recovery key escrow — meaning if a user forgets their password or a device is inherited from a departing employee, IT can unlock the device without data loss. Without MDM enforcement, recovery keys are often unknown or lost entirely.

Without FileVault enabled, a lost or stolen Mac creates immediate data exposure risk:

• An attacker with physical access can boot from an external drive or use macOS Recovery Mode to access the entire disk contents without the user's login password.
• All locally stored files, browser profiles, cached credentials, corporate documents, and emails become readable in plain text without any authentication.
• A departing employee or malicious insider can access another user's data on a shared Mac simply by booting from external media.
• Loss of an unencrypted laptop containing personal data (customer records, HR files, financial data) constitutes a notifiable breach under GDPR, with potential fines and mandatory regulatory disclosure.
• Without recovery key escrow, IT has no way to access encrypted data on a device where the user has left the organisation or forgotten their password, potentially resulting in permanent data loss.

Enforce FileVault encryption on managed Macs via Intune or Jamf:

1. Check current encryption status — in Intune, navigate to Devices → macOS → Encryption report. Identify Macs where FileVault is not enabled or where the recovery key has not been escrowed.
2. Create a FileVault policy in Intune — go to Endpoint Security → Disk Encryption → Create Policy. Select macOS and choose FileVault as the profile type. Set: Require FileVault = Yes, Recovery key rotation = 1 rotation, Escrow location description = IT helpdesk, Hide recovery key = Yes (prevents users from copying and losing the key).
3. Enable deferred enablement — set Defer to Yes. This prompts the user to enable FileVault at their next login rather than forcing an immediate restart, reducing disruption. Set the number of times deferral can be bypassed to a low number (e.g. 3) to prevent indefinite avoidance.
4. Pilot on a small group — assign the policy to 10–20 devices first. Verify that recovery keys appear in Intune under the device's Encryption Key. Confirm users receive a clear prompt at next login.
5. Roll out to all Mac devices — assign the policy to your full macOS device group. Initial encryption of an existing disk takes 30–90 minutes in the background and does not interrupt usage.
6. Add a compliance condition — in Intune Compliance for macOS, add the condition: FileVault = Require. Non-compliant devices will be flagged and can be blocked from corporate resources via Conditional Access if desired.
7. For Jamf-managed fleets — use the Jamf Pro built-in FileVault enablement policy with institutional recovery key escrow, or connect Jamf to Intune via the connector to leverage Intune compliance reporting.