Enable FileVault 2


Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Enable FileVault 2


This group policy allows you to select whether to use one institutional key for multiple Mac computers, or computer-specific (“personal”) keys.

To use one institutional key for multiple Mac computers, select Use Institutional Recovery Key. Then click Select to select the certificate that contains the FileVault master keychain that can unlock the encrypted disk. You must already have created a FileVault master keychain and exported the certificate for the master keychain to a Windows domain server before you perform this step.

To use computer-specific (“personal”) keys instead of one institutional key, leave Use Institutional Recovery Key unchecked. In this situation, a personal recovery key is created for the Mac computer and stored in the computer object in Active Directory. The key is created and sent to the computer object in Active Directory after the “Managed By” user logs in, logs out, and provides the user password.

This policy is available only for OS X 10.9 and later.

For complete instructions, see Configuring FileVault 2.

Note:   Enabling this group policy does not immediately enable FileVault 2 protection on a Mac computer. FileVault 2 protection is enabled when the FileVault-enabled user (that is, the “Managed By” user) logs on to the computer. Disabling this group policy does not disable FileVault 2 protection — disabling FileVault 2 can only be done manually.

Once enabled, this group policy takes effect at the next group policy update interval or when you execute the adgpupdate command.