Device Actions: Rotate FileVault Recovery Key

When you rotate a FileVault recovery key on a macOS device, SimpleMDM sends a command to the device to generate a new recovery key and send it back to SimpleMDM. This refreshes the stored recovery key, which is useful if you suspect the previous key may have been compromised or if you want to rotate keys regularly for security purposes.

Supported Platforms

• macOS 10.13+
• Supervision not required

To rotate a FileVault recovery key:

1. In SimpleMDM, navigate to Devices.
2. Select the macOS device.
3. Click the rotate icon (circular arrow) next to the FileVault recovery key section. You may need to scroll to see this option.
4. Confirm the action when prompted.

SimpleMDM will send the rotation command to the device. The device will generate a new recovery key and transmit it back to SimpleMDM, where it will be stored and displayed in the device details.

Requirements

• The device must be running macOS 10.13 or later.
• The device must already have a FileVault recovery key stored in SimpleMDM. Devices without an escrow key cannot perform this action.
• The user account must have permission to manage FileVault recovery keys.
• The device must be actively enrolled and not awaiting DEP enrollment.

Notes

• The rotation process typically completes within a few minutes, depending on device responsiveness.
• You can view the rotated recovery key in the device's security information after the rotation is complete.
• Rotating the key invalidates the previous recovery key — end-users will need to use the new key if they need to unlock FileVault on recovery or during setup.
• If the device is in a recovery state or offline when you initiate the rotation, the command will be queued and sent the next time the device checks in with SimpleMDM.

Apple documentation:

• Apple Platform Deployment Guide - FileVault
• Apple Developer Documentation - RotateFileVaultKey MDM Command