Following document HT5077 by Apple, we can create the Keychain to strip the certificate out of and utilize that in Profile Manager. From the Server machine using the Admin account:
- Open System Preferences and select the Users & Groups preference pane.
- If locked, click the lock icon to authenticate
- Click the Services (Gears) button and then select “Set Master Password…” from the pop-up menu.
- Create a master password using the sheet that appears. Password will be XXXXX and the hint is Filevault account password
The following files will be created:
- /Library/Keychains/FileVaultMaster.cer
- /Library/Keychains/FileVaultMaster.keychain
- The document HT5077 is finished now, there are further instructions in the document but they are for manual deployment. From here we have enough to move ahead with our Institutional Key Deployment.
- Launch Terminal and run this command, authenticate with Admin password and then the keychain password as you are unlocking the Keychain we just created.
- Sudo security unlock-keychain /library/keychains/filevaultmaster.keychain
- Once the keychain is unlocked in finder navigate to /library/keychains/ and click FileVaultMaster.keychain. It will launch Keychain Access and add the keychain.
- Once inside Keychain access, under keychains pane select FileVaultMaster
- You should see two items in the right pane, select the certificate FileVault Recovery key. Double click to launch its info screen, click the carrot next to trust and select when using this certificate drop down and choose Always Trust. Close that screen
- Back in Keychain Access with the certificate selected again right-click, ctrl-click the cert and select export. Save to desktop with no password.
- Launch Server.app and select profile manager or just use Safari to navigate to: https://server.name/profilemanager
- Inside profile manager select the User, group, device in the left pane and click edit on the right pane
- Under the heading OS X and IOS select Certificates and click configure
- Fill in the certificate name with: FileVault
- Click Add Certificate… and navigate to desktop for the FileVaulte Recovery Certificate.cer that we saved earlier.
- Once that is added select in the left pane under OS X and IOS, Security & Privacy
- Click the FileVault (OS X Only) tab and check require FileVault
- Select the radio button next to Use an institutional recovery key
- Under certificate drop down, the only one available should say FileVault, select it.
- Click Okay to go back to main Profile Manager screen, then under the devices group we made adjustment to we select save in the right pane to commit the changes to the configuration profile.
Once the profile gets pushed to the devices, restart and the account active will be asked to authenticate to enable FileVault. Do this for Pilot, then the primary user on the Mac, otherwise they will not be able to unlock the HD to load the OS.
Any clarification needed just ask, I wrote the document for my company so I had to redact some stuff to share.. I spoke with Apple about it, they are writing a document I believe as they are now aware there is no documentation out there. I had to show them a good amount of evidence that I did my homework, two escalations to the engineering department and viola.. Enjoy.