Skip to content

Device Encryption step by step (Mac)

Follow these steps to encrypt Macs.


  • You must install the Sophos Central agent software on the endpoints.
  • You must configure and turn on a Device Encryption policy in Sophos Central.
  • Users must log on to their endpoints. They must be connected to and synchronized with Sophos Central.

    Note that remote logon is not supported.

These instructions tell you what the users see and what they need to do.

  1. Enter their login password after starting their Mac.

    This turns on Sophos Device Encryption.

  2. Click either Encrypt to start the encryption of their system disk or Postpone to start the process later.

    When users enter their login password and click Encrypt, the recovery key is stored locally in the keychain and Sophos Central.

    All existing users of an endpoint are added to FileVault automatically.

When the system disk is encrypted, the internal data volumes are automatically encrypted. Encrypted disks are automatically unlocked when the computer starts.

Notifications tell users about the encryption status of the individual disks.