Add option to set macOS FileVault ShowRecoveryKey to False
Currently when FileVault is enabled with an Intune configuration profile the user is shown the recovery key and instructed to "save this recovery key and keep it in a safe place."
This is undesirable as there is a chance the user may not store the key safely. Instead, the preference is to not show the recovery key to the user after FileVault is enabled. If the recovery key is later needed the user can retrieve it from Intune Company Portal website (or IT help desk).
To accomplish this the ShowRecoveryKey option in the com.apple.MCX.FileVault2 payload must be set to False.
From Apple docs: "ShowRecoveryKey: Set to false to not display the personal recovery key to the user after FileVault is enabled. Defaults to true."
I propose that this option be offered in the FileVault profile config in Intune.
See attachments for an example of the recovery key dialog that is currently shown to the user, and a mockup of the new proposed option in the profile config.
Apple's Configuration Profile Reference document:
Thanks, @Florian for calling out this is recently released: https://docs.microsoft.com/en-us/mem/intune/fundamentals/whats-new#device-security-1
Thank you everyone for the feedback!
Florian Schütz commented
This feature has been added to Intune.
What's new in Microsoft Intune: https://docs.microsoft.com/en-us/mem/intune/fundamentals/whats-new#device-security-1
Question here, will the user see the new key with every rotation, or just the one time its set up?
Because if a user sees a new key like every month, that will be very confusing and this option to put it in False will be very needed.
Nathan Berger commented
Solid suggestion, wouldn't be too difficult to implement. I agree that the "You will not see this key again" prompt is pretty scary for users.