Activate Mac FileVault using Intune

Encrypting the disk of a workspace is one of the basic settings that every managed device should have. Everyone who manages Windows PCs knows BitLocker. The solution that is integrated in MacOS to encrypt disks is called FileVault. In this blog I want to explain you how to configure this for MacOs devices.

Create Configuration Profile

  • Open the MEM Portal
  • Navigate to Devices -> Configuration profiles
  • Click + Create profile
  • Select macOS as Platform and Templates as Profile type
  • Select Endpoint protection
  • Click Create
  • Enter a Name and click Next
  • Select FileVault and configure it the way you want it or the way the security department specifies it
  • My configurations:
    • Enable FileVault: Yes
    • Escrow location description of personal recovery key: You can retrieve the personal recovery key for your macOS device from the Microsoft Intune app, Company Portal website, or Company Portal apps for Android and iOS/iPadOS. The Support cannot access recovery keys that belong to personal devices
    • Personal recovery key rotation: 6 months
    • Hide recovery key: Yes
    • Disable prompt at sign out: Yes
    • Number of times allowed to bypass: 2
  • Click Next

When Disable prompt at sign out is set to Enable, the Number of times allowed to bypass must be set to a value other than Not configured (Post)

  • Assign the Configuration profile to a group in which your MacOS devices are in.
  • Click Next > Create

Activate FileVault

As soon as the Configuration Profile is applied to the device and the user logs in again, he will receive the following popup with the information that the FileVault should be activated. Depending on what you have selected as the value for the setting “Number of times allowed to bypass“, the encryption is then forced:

The encryption of the hard disk takes a few minutes/hours depending on the size.

When this is done the disk is now encrypted. Via the Company Portal (e.g. Web Company Portal or on your smartphone) you can also read out the recovery key if you need it. You can also read this out via Intune


This blog was about a basic topic but very important. My recommendation is to enable and enforce disk encryption on all devices in the field. I hope I could help you and explain what you need to configure to enable FileVault.

Stay healthy, Cheers