Missing Recovery Key Prompt on Encrypted macOS device after upgrading to AirWatch Agent 3.1


Prior to High Sierra, macOS provided a native mechanism to escrow recovery keys to a managed endpoint in AirWatch or a custom escrow server. In addition to the native escrow channel via MDM, the AirWatch Agent also provided an additional channel to escrow the recovery keys for improved reliability.

In High Sierra 10.13, Apple has updated encryption and escrow functionality, ensuring it is more reliable and secure. To take advantage of the native enhancements, already encrypted device (via legacy method) need to have the keys rotated one time for necessary files to be created. Once the files are created, the MDM Security sample query will be able to escrow the key and handle re-escrowing the key if it has been rotated. AirWatch Agent 3.1 for macOS adheres to this new native MDM escrowing standards set in High Sierra.


Customer Impact

When a managed machine installs the AirWatch Agent 3.1 for macOS, end-users on macOS 10.13 devices which were encrypted prior to upgrading will receive a prompt. This is a one-time prompt which requires the end-user to enter their login password to rotate the recovery key. Upon entering the credentials, the necessary files are created by the operating system for native MDM sampling. 




How to determine if users will be prompted after upgrading to AirWatch Agent 3.1 for macOS

Current OS State Prompt shown

macOS 10.12 and below

Newly Encrypted with Agent 3.0 or below

No, however, the prompt will be displayed once the device is upgraded to macOS 10.13

macOS 10.12 and below

Encrypted without AirWatch

Yes, however, the device will prompt end-users again once upgraded to macOS 10.13

macOS 10.13+ 

Newly Encrypted with Agent 3.0 or below


macOS 10.13+

Newly Encrypted with Agent 3.1


With High Sierra, for native escrowing of recovery key, a file is required present located at /var/db/FileVaultPRK.dat. This file is generated when a device running High Sierra has an existing recovery key rotated, or a new encryption is started (additional information can be found here). 

AirWatch Agent 3.1 for macOS requires the previously metioned file to be present to determine whether the escrowing of keys should be handled or not. If the file is present, the Agent will hand off the escrowing to be completed by the native MDM channel. If the file is not present, the Missing Recovery Key prompt is shown to the user. When the user enters their login password, the Agent uses this password to rotate the key with `fdesetup` and the FileVaultPRK.dat file is generated by macOS. The Agent will not display the prompt again as the device has been migrated to the new Recovery Key model. 


Support Contact Information

To receive support, either submit a ticket via the My Workspace ONE portal or call your local support line.


Best Regards,

The VMware Workspace ONE Team

Other Languages: 日本語

Have more questions? Submit a request


Article is closed for comments.