Skip to main content
This guide applies to Mac computers

About the Report FileVault iCloud Recovery Keys Parameter

This parameter monitors and reports when user accounts have FileVault Recovery Keys escrowed to iCloud, which is not recommended for enterprise-owned Mac devices.

How It Works

The parameter raises an alert if a Recovery Key is stored in iCloud, providing a reminder to work with the user to remove the recovery key from their iCloud account for better security. macOS allows users to store Recovery Keys with their iCloud account. This is not recommended for enterprise-owned Mac devices, as it’s possible that an unknown party can retrieve keys. This parameter raises an alert if a Recovery Key is stored in iCloud, providing a reminder to work with the user and follow the steps below to remove the recovery key from their iCloud account.

Remove the FileVault library item

Remove the FileVault library item assignment from the Mac with the following steps:
1

Exclude from FileVault Assignment

Use a rule in your Assignment Map to exclude the Mac from getting the FileVault Library Item installed. If you are using a Classic Blueprint, move the device to a Blueprint that doesn’t have the FileVault Library Item assigned.
2

Turn Off FileVault

Once the FileVault profile has been removed from the Mac, launch System Settings and turn off FileVault encryption.
3

Remove Security Preferences File

If present, remove the following file locally within the home directory of the associated iCloud user:
~/Library/Preferences/com.apple.preference.security.plist

Reassign the FileVault library item

Depending on your FileVault enforcement settings, a forced restart of the Mac or reminder that the end user must restart to enforce FileVault encryption may be triggered when the FileVault library item is reassigned.
1

Re-enable FileVault Assignment

Change the rule in your Assignment Map to include the Mac again, which will trigger a reinstall of the FileVault profile. If you are using a Classic Blueprint, move the device back to the Blueprint with FileVault Library Item assigned.
2

Verify FileVault Status

As enforced by your library item, FileVault should now be turned on, and the iCloud account may no longer be used to unlock the disk.