An Institutional recovery key is a pre-made recovery key that can be installed on a system prior to the encryption process. Institutional recovery keys are not automatically generated and must be manually created before they can be used.

This section explains how to create an Institutional Recovery Key for macOS High Sierra (10.13) and above. However, the steps to create an Institutional Recovery Key for macOS Sierra (10.12) and below can be found at

To distribute the corporate recovery key through Workspace ONE UEM, first create the FileVault Corporate Recovery Key and then upload it to the configuration profile on the UEM console by following the steps:


  1. Create FileVault Keychain
  2. Copy FileVaultMaster Keychain to Documents
  3. Unlock FileVaultMaster Keychain
  4. Add FileVaultMaster Keychain to Keychain Access Utility
  5. Validate FileVaultMaster Keychain Unlock
  6. Delete and Confirm Private Key Deletion
  7. Export FileVault Recovery Key Certificate
  8. Some of the additional steps to perform after exporting FileVaultMaster Recovery Key certificate are to:
    1. Re-Lock the FileVaultMaster Keychain.
    2. Delete keychain from keychain access – To remove references to the FileVaultMaster keychain in Keychain Access.
    3. Store the keychain and password – Store both the keychain (containing the certificate and private key) and the Keychain Password in multiple, secure locations. Without both you will be unable to decrypt any FileVault 2 drives encrypted with this Institutional Recovery Key.