OS X Mavericks 10.9.x and later releases:
- Apple introduced a new feature that allows users to change or regenerate the recovery key for FileVault on their system using their current password.
- A user can now regenerate a recovery key or change the existing recovery key to generate a new key.
With MNE, users can import or escrow the recovery key to ePolicy Orchestrator (ePO) using the import key feature in the client user interface. The feature is available as Endpoint Protection for Mac.app under /Applications on OS X systems.
Sometimes, you might need to obtain a new recovery key for a FileVault encrypted system before escrowing it to ePO. For example:
- The user has enabled FileVault encryption before MNE is installed and the user does not know the recovery key.
- In cases where the existing recovery key has been changed or become invalid.
After regenerating the recovery key, the user can import the new recovery key into ePO using the MNE import key feature available on the OS X client.
MNE 2.1.0 and later
- A new recovery key escrow process is available for Mavericks and Yosemite Operating Systems. This feature applies when the Mac OS X FileVault has been enabled before MNE being installed.
- Users will see the following after the enabling in the FileVault Product Settings policy the option 'Prompt user to create a new recovery key on already enabled systems':
- Users are prompted to enter their FileVault password.
- After the password is entered, the recovery key is automatically imported into the ePO database.
