With OS X Mavericks 10.9.x and later releases, Apple introduced a new feature that allows end users to change or regenerate the recovery key for FileVault on their system using their current password. A user can now regenerate a recovery key or change the existing recovery key to generate a new key by following the steps in the Solution section of this article.
With the release of MNE 2.0.x, end users are able to import or escrow the recovery key to ePolicy Orchestrator (ePO) using the import key feature in the client user interface, available as Endpoint Protection for Mac.app under /Applications on OS X systems.
In some cases, you might need to obtain a new recovery key for a FileVault encrypted system before escrowing it to ePO. For example:
- If FileVault encryption has been enabled by a user prior to MNE being installed on the system and the user does not know the recovery key.
- In cases where the existing recovery key has been changed or become invalid.
After regenerating the recovery key, the user can import the new recovery key into ePO using the MNE import key feature available on the OS X client.
MNE 2.1.0 and later
With the release of MNE 2.1.0, a new recovery key escrow process is available for Mavericks and Yosemite Operating Systems (OSs) that have been enabled with Mac OS X FileVault prior to MNE being installed. If the option Prompt user to create a new recovery key on already enabled systems is set in the FileVault Product Settings policy, users are prompted to enter their FileVault password. After a password is entered, the recovery key is automatically imported into the ePO database.
