Administrator Guide
This section guides you through the process of using FileVault Recovery when FileVault encryption is on the endpoint to be
recovered. FileVault can be used with Encryption Enterprise for Mac v8.11 or later running on macOS Sierra 10.12.6. FileVault
recovery is also used on Fusion Drives.
FileVault Recovery
Recovery of a managed FileVault-encrypted volume is dictated by Apple and is automated where possible but requires a few
more steps.
The Dell Recovery Utility simplifies the operation of Apple's recovery tools with scripts to assist with mounting a volume or, in
some cases, decrypting it. FileVault recovery functionality is determined by the operating system installed on the Recovery HD
and the paired target partition.
A FileVault-encrypted volume can be recovered only from a Recovery HD partition that is written to all disk drives running Mac
OS X 10.9.5 or later. This requirement eliminates the possibility of performing a recovery operation directly from the Dell
Recovery Utility.
Two recovery methods exist, based on whether the FileVault recovery key is a personal or institutional recovery key. One valid
recovery key always exists. If a personal recovery key exists, Dell recommends that you use the most recent entry for that key.
If that key does not work, then use the institutional recovery keychain.
● Personal Recovery Key - Existing FileVault encryption is managed by the Dell Server. If the most recent entry in the recovery
bundle contains a RecoveryKey entry, follow the Personal Recovery Key steps. Here is a RecoveryKey example:
RecoveryKey</key><string>C73W-CX2B-ANFY-HH3K-RLRE-LVAK</string>
● Recovery Keychain (rarely used) - This recovery method is based on use of a FileVault institutional recovery key.
If the most recent entry in the recovery bundle contains a KeychainKey entry, follow the Recovery Keychain steps. Here is a
KeychainKey example:
KeychainKey</key><data>a3ljaAABAAAAA...
Personal Recovery Key
Generally, the best practice is to recover the boot volume before recovering non-boot volumes since that mounts any other
volume that was encrypted. Recovering the boot volume typically corrects issues with non-boot volumes.
Prerequisites
● An external bootable drive
● The Device ID/Unique ID of the computer targeted for recovery. In most cases, you can find the computer targeted for
recovery in the Management Console by searching for the owner's user name and viewing the devices encrypted for that
user. The format of the Device ID/Unique ID is "John Doe's MacBook.Z4291LK58RH".
● The Dell installation media
Management Console - Save the recovery bundle
1. Open the Management Console.
2. In the left pane, click Populations > Endpoints.
3. Search for the device to recover.
4. Click the device name to open the Endpoint Detail page.
5. Click the Details & Actions tab.
6. Under Shield Detail, click the Device Recovery Keys link.
7. To save the recovery bundle to the external recovery volume or computer that will be running the recovery utility to perform
the recovery operation, click Download and click Save.
8. Enter a location for the recovery bundle and click Save.
Process - Mount the .dmg
1. Copy the recovery bundle and the Dell-Encryption-Enterprise-<version>.dmg file to the bootable USB drive.
2. Boot the target computer from a pre-created external full-operating system install volume by holding down the Option key
while you restart this computer and then selecting the external full-operating system install volume in the pre-boot Startup
Manager. To create a bootable volume, refer to https://support.apple.com/en-us/HT202796.
3. Mount the Dell-Encryption-Enterprise-<version>.dmg.
Tasks for the Encryption Client
23