Institutional and Personal recovery is useful if the user will benefit from viewing and keeping a Personal Recovery Key, but the company will need a quick way to decrypt the device using a Institutional Recovery Key when necessary.


  1. Configure a new Disk Encryption profile.
  2. Choose Personal & Institutional as the recovery type and configure the recovery key settings as needed.
  3. Configure a FileVault Master Keychain. For more information, see the Configure a FileVault Institutional Recovery key section.
  4. Upload the FileVaultMaster.cer to the Disk Encryption profile to encrypt the assigned computers with your Institutional Recovery Key


Once FileVault is enabled on the device, the Personal Recovery Key will be reported to the server.