The configuration profile which configures the Institutional recovery key on the Workspace ONE UEM console requires only the certificate and not the keychain file.


  1. Select the FileVault Recovery Key certificate in the FileVaultMaster keychain.
  2. Select Export FileVault Recovery Key (....)...
  3. Provide the certificate name as FileVaultMaster (in keeping the name consistent with the keychain file that it was created from).
  4. Choose the location to save the certificate where you can access the key from your browser. (In this example, ~/Documents/)
  5. Select Save.
    By the end of this step, you now have a certificate file which DOES NOT contain the private key.