A lost or stolen Mac is only a hardware loss if the disk is encrypted. Without encryption, anyone who gets physical access to the drive can read every file on it, no login password required. FileVault is Apple's built-in disk encryption, and most IT teams either rely on users to turn it on themselves or have no reliable way to confirm it's on across the fleet. This article walks you through enforcing FileVault with an MDM policy, what end users see when it kicks in, and where to find the recovery key once it's escrowed.
What FileVault does
FileVault encrypts the entire startup disk on a Mac. Once enabled, the contents of the disk are unreadable without the recovery key or the user's login credentials, even if the drive is removed and connected to another machine. This is the difference between a stolen laptop being a hardware loss and a stolen laptop being a data breach.
Before you begin
Scope: FileVault is a Mac-only feature. The policy applies to Mac workstations and Mac servers.
Enrollment: The device must already be enrolled in SuperOps MDM.
Permission: Anyone with asset-level view permission for a device can see its escrowed recovery key, so apply the same access discipline you'd use for any other credential.
Step 1: Configure the FileVault policy
Go to Settings >Policy Management-> Mac Workstation Policies, and open the FileVault tab under MDM Configurations. Turn on FileVault, then configure the following:
Enforcement mode: Choose when users must enable FileVault. Enforce at next login applies it immediately at the next login screen. Defer to user lets the user skip a set number of times before SuperOps enforces it.
Allow users to disable FileVault: Recommended off. If a user can turn off FileVault from System Settings, you risk them locking themselves out without a way back in.
Show recovery key to user: Recommended off for managed fleets. Keeping this off means the key lives in SuperOps, not on a sticky note.
Auto-rotate recovery key: Rotates the recovery key on a schedule, from 1 to 365 days. 15 or 30 days is the recommended range. Rotation only starts after the key is successfully escrowed.
Escrow location: A label shown to the user indicating which MDM holds the recovery key. This matters if a fleet is split across more than one MDM. It's a label, not a configurable storage location.
Step 2: What end users see
When the policy applies and the enforcement mode allows a delay, the user sees a prompt at login telling them their administrator requires FileVault and that they can log in once before they must enable it. Once they choose Enable Now, encryption begins.
The recovery key is shown to the user exactly once, in a one-time popup right after FileVault is enabled. If they don't capture it then, that's fine. It's still retrievable from the asset detail page in SuperOps.
Step 3: Find and use the recovery key
Once FileVault is enabled and the key is escrowed, open the device's asset page and go to Details > File Vault. You'll see the disk name, the recovery key (hidden by default, with an eye icon to reveal it and an icon to copy it), and the recovery key status.
The recovery key has two practical uses. The first is unlocking a disk when the device can't boot normally. The second is resetting a user's password. If a user forgets their Mac login password, you can use the recovery key at the login screen to authenticate, access the device, and set a new password. This makes the escrowed key essential for any helpdesk workflow involving locked-out Mac users.
Step 4: Verify on the device
From the Mac itself, you can confirm the policy applied correctly under System Settings > General > Device Management. The FileVault Encryption profile shows up alongside other SuperOps MDM profiles, and opening it shows the exact settings pushed: enforcement state, whether the user can disable it, the cancel-attempt count for deferred enforcement, and whether a personal recovery key was generated.
Things to know
Already-encrypted devices: If FileVault is already enabled on a Mac outside of this policy, SuperOps can't enable it again or fetch the existing recovery key. The technician needs to disable FileVault on the device first, then let the policy re-enforce it so the key gets escrowed.
No disable alerts yet: If a user disables FileVault after enforcement, SuperOps re-applies the policy and re-enables it, but there's currently no alert flagging the device as unprotected in the gap before that happens.
Auditing existing devices: There's no built-in view of FileVault status across a fleet before you apply a policy. To check, run a terminal command against your Mac devices and log the result to a custom field.

