Corporate recovery is beneficial because the network administrator can decrypt any device using a single Corporate Recovery Key, saving time by not needing to enter a unique Personal Recovery Key for each computer.
Generally, corporate recovery is reserved for Corporate Owned, Line-of-Business devices where the user does not have the ability to decrypt the device if they forget the login password.
To encrypt a device using a Corporate Recovery Key:
- Configure a new Disk Encryption profile
- Choose Corporate as the recovery type and configure the recovery key settings as needed.
- Configure a FileVault Master Keychain. For more information on creating a FileVault Master Keychain, please refer to the section below.
- Upload the FileVaultMaster.cer to the Disk Encryption profile to encrypt the assigned computers with your Corporate Recovery Key.
Once FileVault is enabled on the device, the Corporate Recovery Key will be reported to the server.