FileVault 2 Configuration Overview

Configuring a Mac computer for FileVault 2 protection requires configuration steps on both the Mac computer and the domain controller (or any Windows computer on which you can configure Group Policy on the domain controller). The following is a list of the major steps in the process, with links to each procedure that you must complete.

  1. Create FileVault master keychain. The master keychain contains a private key that can be used to unlock the encrypted disk.

    Note:   This step is required only if you are using one institutional key for multiple Mac computers. If you are using computer-specific (“personal”) keys, go to Step 4.

  2. Export certificate from FileVault master keychain and upload it to a domain server. Uploading the certificate to a domain server allows you to select it when you enable the “FileVault 2” group policy.

    Note:   This step is required only if you are using one institutional key for multiple Mac computers. If you are using computer-specific (“personal”) keys, go to Step 4.

  3. Enable BitLocker Recovery Password Viewer in Active Directory.

    This step is required only if you are using computer-specific (“personal”) keys. If you are using one institutional key for multiple Mac computers, go to Step 4.

  4. Assign an Active Directory user who is authorized to manage an encrypted disk. FileVault 2 requires that you specify one or more “Managed By” users who can manage the encrypted disk, including the ability to lock and unlock it.
  5. Enable the Enable FileVault 2 group policy. Enabling the “FileVault 2” group policy applies the FileVaultMaster certificate to Mac computers.

  6. Set up and verify FileVault 2 protection. After FileVault 2 protection is enabled, the disk encryption process begins after the FileVault-authorized user logs off the computer.