Changing FileVault 2 settings

After you enable FileVault 2, the settings that you are most likely to change at a later time are the “Managed By” user and the FileVaultMaster certificate.

To change the “Managed By” user on a Mac computer

  1. Disable FileVault 2 manually on the Mac computer as described in Disabling FileVault 2 protection.
  2. On the domain controller, change the “Managed By” user as described in Assign an Active Directory user who is authorized to manage an encrypted disk.
  3. Ensure that the Mac computer can communicate with the domain controller (that is, it is in connected mode) so that it can fetch the new “Managed By” user information from Active Directory.

After you complete these steps, FileVault 2 protection is enabled on the Mac computer the next time the new “Managed By” user logs into the Mac computer.

To change the FileVaultMaster certificate

Note:   The procedure described in this section is supported only if you are using one institutional key for multiple Mac computers (that is, if you selected Use Institutional Recovery Key in Enable the Enable FileVault 2 group policy).

  1. Disable FileVault 2 manually on each Mac computer that will use the new FileVaultMaster certificate. In most situations, this includes all computers to which the Enable FileVault 2 group policy is applied.
  2. Specify a new FileVaultMaster certificate in the Enable FileVault 2 group policy as described in Enable the Enable FileVault 2 group policy.
  3. Execute the adgpupdate command to have the Enable FileVault 2 group policy implement the new FileVaultMaster certificate on the Mac computers.

    If you do not execute adgpupdate, the old FileVaultMaster certificate is used until the next scheduled group policy update interval.

After you complete these steps:

  • All of the Mac computers on which you disabled FileVault 2 (in Step 1) will use the new FileVaultMaster certificate the next time the “Managed By” user logs in.
  • FileVault 2 protection is enabled on a Mac computer the next time the “Managed By” user logs into that Mac computer.