pfm_description Use this section to define settings for FileVault 2 pfm_description_reference In macOS 10.9, you can use FileVault 2 to perform full XTS-AES 128 encryption on the contents of a volume. FileVault 2 payloads are designated by specifying com.apple.MCX.FileVault2 as the PayloadType value. Removal of the FileVault payload does not disable FileVault. pfm_domain com.apple.MCX.FileVault2 pfm_format_version 1 pfm_interaction undefined pfm_last_modified 2019-11-07T15:29:15Z pfm_macos_max 10.12.6 pfm_macos_min 10.9 pfm_platforms macOS pfm_subkeys pfm_default Configures FileVault 2 settings pfm_description Description of the payload. pfm_description_reference Optional. A human-readable description of this payload. This description is shown on the Detail screen. pfm_name PayloadDescription pfm_title Payload Description pfm_type string pfm_default FileVault 2 pfm_description Name of the payload. pfm_description_reference A human-readable name for the profile payload. This name is displayed on the Detail screen. It does not have to be unique. pfm_name PayloadDisplayName pfm_require always pfm_title Payload Display Name pfm_type string pfm_default com.apple.MCX.FileVault2 pfm_description A unique identifier for the payload, dot-delimited. Usually root PayloadIdentifier+subidentifier. pfm_description_reference A reverse-DNS-style identifier for the specific payload. It is usually the same identifier as the root-level PayloadIdentifier value with an additional component appended. pfm_name PayloadIdentifier pfm_require always pfm_title Payload Identifier pfm_type string pfm_default com.apple.MCX.FileVault2 pfm_description The type of the payload, a reverse dns string. pfm_description_reference The payload type. pfm_name PayloadType pfm_require always pfm_title Payload Type pfm_type string pfm_default pfm_description Unique identifier for the payload (format 01234567-89AB-CDEF-0123-456789ABCDEF). pfm_description_reference A globally unique identifier for the payload. The actual content is unimportant, but it must be globally unique. In macOS, you can use uuidgen to generate reasonable UUIDs. pfm_format ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ pfm_name PayloadUUID pfm_require always pfm_title Payload UUID pfm_type string pfm_default 1 pfm_description The version of the whole configuration profile. pfm_description_reference The version number of the individual payload. A profile can consist of payloads with different version numbers. For example, changes to the VPN software in iOS might introduce a new payload version to support additional features, but Mail payload versions would not necessarily change in the same release. pfm_name PayloadVersion pfm_require always pfm_title Payload Version pfm_type integer pfm_description This value describes the issuing organization of the profile, as displayed to the user. pfm_description_reference Optional. A human-readable string containing the name of the organization that provided the profile. The payload organization for a payload need not match the payload organization in the enclosing profile. pfm_name PayloadOrganization pfm_title Payload Organization pfm_type string pfm_description Set to 'On' to enable FileVault. Set to 'Off' to disable FileVault. pfm_description_reference Set to ʼOnʼ to enable FileVault. Set to ʼOffʼ to disable FileVault. This value is required. pfm_name Enable pfm_require always pfm_range_list On Off pfm_title Enable FileVault 2 pfm_type string pfm_default pfm_description Defer enabling FileVault until the designated user logs out. For details, see fdesetup(8). The person enabling FileVault must be either a local user or a mobile account user. pfm_description_reference Set to true to defer enabling FileVault until the designated user logs out. For details, see fdesetup(8). The person enabling FileVault must be either a local user or a mobile account user. pfm_name Defer pfm_title Defer enabling until logout pfm_type boolean pfm_default pfm_description Set to true for manual profile installs to prompt for missing user name or password fields. pfm_description_reference Set to true for manual profile installs to prompt for missing user name or password fields. pfm_name UserEntersMissingInfo pfm_title User enters username and password pfm_type boolean pfm_default pfm_description Set to true to create a personal recovery key. pfm_description_reference Set to true to create a personal recovery key. Defaults to true. pfm_name UseRecoveryKey pfm_title Create a personal recovery key pfm_type boolean pfm_default pfm_description Set to false to not display the personal recovery key to the user after FileVault is enabled. pfm_description_reference Set to false to not display the personal recovery key to the user after FileVault is enabled. Defaults to true. pfm_name ShowRecoveryKey pfm_title Show the personal recovery key pfm_type boolean pfm_description Path to the location where the recovery key and computer information plist will be stored. pfm_description_reference Path to the location where the recovery key and computer information plist will be stored. pfm_name OutputPath pfm_title Recovery key path pfm_type string pfm_allowed_file_types public.x509-certificate pfm_description DER-encoded certificate data if an institutional recovery key will be added. pfm_description_reference DER-encoded certificate data if an institutional recovery key will be added. pfm_name Certificate pfm_title Certificate pfm_type data pfm_description UUID of the payload containing the asymmetric recovery key certificate payload. pfm_description_reference UUID of the payload containing the asymmetric recovery key certificate payload. pfm_name PayloadCertificateUUID pfm_title Recovery Key Certificate Payload pfm_type string pfm_description User name of the Open Directory user that will be added to FileVault. pfm_description_reference User name of the Open Directory user that will be added to FileVault. pfm_name Username pfm_title Username pfm_type string pfm_description User password of the Open Directory user that will be added to FileVault. Use the UserEntersMissingInfo key if you want to prompt for this information. pfm_description_reference User password of the Open Directory user that will be added to FileVault. Use the UserEntersMissingInfo key if you want to prompt for this information. pfm_name Password pfm_title Password pfm_type string pfm_default pfm_description If set to true and no certificate information is provided in this payload, the keychain already created at /Library/Keychains/FileVaultMaster.keychain will be used when the institutional recovery key is added. pfm_description_reference If set to true and no certificate information is provided in this payload, the keychain already created at /Library/Keychains/FileVaultMaster.keychain will be used when the institutional recovery key is added. pfm_name UseKeychain pfm_title Add institutional recovery key to keychain pfm_type boolean pfm_description When using the Defer option you can optionally set this key to the maximum number of times the user can bypass enabling FileVault before it will require that it be enabled before the user can log in. If set to 0, it will always prompt to enable FileVault until it is enabled, though it will allow you to bypass enabling it. Setting this key to –1 will disable this feature. pfm_description_reference When using the Defer option you can optionally set this key to the maximum number of times the user can bypass enabling FileVault before it will require that it be enabled before the user can log in. If set to 0, it will always prompt to enable FileVault until it is enabled, though it will allow you to bypass enabling it. Setting this key to –1 will disable this feature. Availability: Available in macOS 10.10 and later. pfm_macos_min 10.10.0 pfm_name DeferForceAtUserLoginMaxBypassAttempts pfm_title Maximum number of times FileVault can be skipped pfm_type integer pfm_default pfm_description When using the Defer option, set this key to true to not request enabling FileVault at user logout time. pfm_description_reference When using the Defer option, set this key to true to not request enabling FileVault at user logout time. Availability: Available in macOS 10.10 and later. pfm_macos_min 10.10.0 pfm_name DeferDontAskAtUserLogout pfm_title Dont ask at logout pfm_type boolean pfm_targets system pfm_title FileVault 2 pfm_unique pfm_version 5