Institutional recovery is beneficial because the network administrator can decrypt any device using a single Institutional Recovery Key, saving time by not needing to enter a unique Personal Recovery Key for each computer.
Generally, Institutional recovery is reserved for Corporate Owned, Line-of-Business devices where the user does not have the ability to decrypt the device if they forget the login password.
- Configure a new Disk Encryption profile
- Choose Institutional as the recovery type and configure the recovery key settings as needed.
- Configure a FileVault Master Keychain. For more information, see the Configure a FileVault Institutional Recovery key section.
- Upload the FileVaultMaster.cer to the Disk Encryption profile to encrypt the assigned computers with your Institutional Recovery Key.