Oracle Cloud Infrastructure Documentation

Enabling FileVault for Managed Services for Mac

To ensure data confidentiality and regulatory compliance, all devices go through a thorough erase process before being reassigned. Oracle use Apple-recommended security and erase practices, with customer-controlled encryption. Before the end of your service term, you must enable FileVault encryption on your assigned Mac. This is required to guarantee only you retain access to your organization's data.

Note

You should never disable FileVault as it impacts security.

Starting with macOS Tahoe, FileVault is enabled by default as a security best practice. We don't recommend disabling FileVault. If FileVault has been turned off for any reason, you must re-enable it before returning the device, as outlined in the following section.

Important

Don't use iCloud when creating the recovery key, and don't share the key with Oracle or any third-party.

Enabling FileVault

  1. Open your Mac's system settings:
    1. Select the Apple menu in the top-left corner.
    2. Select System Settings (or System Preferences for older macOS versions).
  2. Navigate to FileVault using one of the following methods:

    • macOS Tahoe OS, Sonoma, and Ventura, or later:

      1. Go to Privacy & Security in the left sidebar.
      2. Scroll down to the FileVault section.

    • macOS Monterey or earlier:

      1. Go to Security & Privacy.
      2. Select the FileVault tab.
  3. Enable FileVault.
    • If FileVault is off, select Turn On FileVault. If prompted, enter your administrator password.
    • If FileVault is on, no action is needed.
  4. Create and save the recovery key.
    When prompted to choose how to unlock your disk, select Create a recovery key. Don't use your iCloud account. A recovery key is generated. Don't share this recovery key with the Managed Services for Mac team or any one else.

    Select Continue to confirm.

  5. Restart if prompted.
    When FileVault starts encrypting your disk in the background, you might be prompted to restart your Mac. You can monitor the encryption progress in the FileVault section.
  6. Verify FileVault status by opening a terminal session and entering the following command: 
    fdesetup status

    The expected output is:

    FileVault is On
  7. Notify your Managed Services for Mac contact to that FileVault is enabled and the device is ready for secure wipe.