Home > FileVault 2, Mac administration, Mac OS X > Resetting an account’s ability to log into a FileVault 2-encrypted Mac by using an Apple ID

Resetting an account’s ability to log into a FileVault 2-encrypted Mac by using an Apple ID

Apple’s release of Yosemite has brought with it the ability to use an Apple ID to unlock and reset a forgotten account password to log into a FileVault 2-encrypted Mac. You can use this ability in a couple of ways:

1. By setting up your iCloud account as your account on the Mac in question.

Screen Shot 2014-10-25 at 10.54.29 AM

2. By associating your local or mobile network account on the Mac with an Apple ID, and selecting the option when enabling FileVault 2 to use your Apple ID to unlock the disk and reset your password.

Screen Shot 2014-10-25 at 11.31.53 PM

Screen Shot 2014-10-25 at 11.33.13 PM

Note: This method uses Apple’s services to store the needed FileVault 2 recovery key. If your Mac’s FileVault 2 recovery key is not being stored by Apple, you will not be able to use an Apple ID to reset your account’s ability to log into a FileVault 2-encrypted Mac.

For more details, see below the jump.

Here’s the procedure for resetting a forgotten account password using an account’s previously-registered Apple ID.

1. At the FileVault 2 pre-boot login screen, select the account in question.

Screeny Video Oct 25, 2014, 11.32 0014

2. Click on the question mark icon.

Screeny Video Oct 25, 2014, 11.32 0070

3. In the options displayed, click on the …reset it using your Apple ID option.

Screeny Video Oct 25, 2014, 11.32 0196

4. The Mac will reboot to your Mac’s recovery partition and access a Reset Password wizard.

Screeny Video Oct 25, 2014, 11.32 1208

5. When prompted, log in with your account’s associated Apple ID.

Screeny Video Oct 25, 2014, 11.32 1130

6. Depending on what type of account you have, the next few screens may be slightly different.

iCloud account

A. The Reset Password wizard will check the locked disk

Screeny Video Oct 25, 2014, 11.32 1149

B. The Mac will communicate back with Apple to match the iCloud user against the FileVault 2 recovery key that was stored with Apple.

Screeny Video Oct 25, 2014, 11.32 1201

C. The iCloud account will be re-enabled for FileVault 2

Screeny Video Oct 25, 2014, 11.32 1208

 Screeny Video Oct 25, 2014, 11.32 1214

D. You’ll be prompted to restart. On login, your iCloud account password will be able to log in at the FileVault 2 pre-boot login screen.

 Screeny Video Oct 25, 2014, 11.32 1231

Local or Mobile Network Account that’s associated with an Apple ID


A. The Reset Password wizard will check the locked disk.

Screeny Video Oct 25, 2014, 11.32 1149

B. The Mac will communicate back with Apple to match the Apple ID against the FileVault 2 recovery key that was stored with Apple.

Screeny Video Oct 25, 2014, 11.32 1201

C. You’ll be prompted to reset your account’s password to a new one.

Screen Shot 2014-10-25 at 11.37.46 PM

Note: This may break the password sync for a mobile network account between the network account’s cached password on the Mac and the directory service.

D. You’ll be prompted to restart. On login, your now-reset account password will be able to log in at the FileVault 2 pre-boot login screen.

Screen Shot 2014-10-25 at 11.37.51 PM

  1. October 26, 2014 at 4:19 am

    Have you tested the experience with escrowed FV2 keys in JAMF CS and iCloud recovery?

    • October 26, 2014 at 4:28 am

      Jason,

      The Apple ID-based recovery key is being escrowed by Apple and not by a third-party key escrow service like the one Casper provides. This method of recovery would be most likely used by Apple’s consumer users instead of being used in an enterprise environment.

  2. Manny
    October 29, 2014 at 9:53 pm

    How on earth do you turn this “Reset Password” screen off?! We don’t want users to use Apple IDs to reset passwords!

    • Andrew V
      October 30, 2014 at 10:44 pm

      I think Users will see this message from Apple in an enterprise environment: “A recovery key has been set by your company, school, or institution,” the administrator for your organization has created a recovery key for this Mac. If you forget your password and need to unlock your encrypted Mac, ask your administrator to unlock it with the recovery key, then reset your password.”
      http://support.apple.com/kb/PH18650

  3. Maurits
    April 16, 2015 at 10:24 am

    Important to notice the line:”You may reboot and unlock your disk using the iCloud password’
    This wil NOT reset the login password!!
    (you need to boot from recovery, mount the disk in Disk Utility using the iCloud password, and then run ‘reset password’
    Not for the end users to do easily…

  4. Monica I.
    January 12, 2016 at 5:39 pm

    So if I am successful getting a user logged back into their computer, you can’t modify the recovery options… since I’m pretty sure the user I will be working with doesn’t have it set for iCloud, lost the FV code I gave them, and doesn’t remember password.

    I’d like to set up the iCloud recovery for this client, so I’ll need to unvault and re-filevault to change the options…yes?

  5. amplecodes
    July 29, 2016 at 1:18 pm

    Important to notice the line:”You may reboot and unlock your disk using the iCloud password’

  6. Suhana
    September 18, 2016 at 2:59 pm

    So does this recovery os mode deletes all the data stored in Mac?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: