Institutional recovery is beneficial because the network administrator can decrypt any device using a single Institutional Recovery Key, saving time by not needing to enter a unique Personal Recovery Key for each computer.

Generally, Institutional recovery is reserved for Corporate Owned, Line-of-Business devices where the user does not have the ability to decrypt the device if they forget the login password.


  1. Configure a new Disk Encryption profile
  2. Choose Institutional as the recovery type and configure the recovery key settings as needed.
  3. Configure a FileVault Master Keychain. For more information, see the Configure a FileVault Institutional Recovery key section.
  4. Upload the FileVaultMaster.cer to the Disk Encryption profile to encrypt the assigned computers with your Institutional Recovery Key.


Once FileVault is enabled on the device, the Institutional Recovery Key will be reported to the server.