Recover Mac endpoints

Follow these steps to recover Macs.

If users forget their login password, there are several ways they can regain access to their computer.

  • If the user was the last person to be logged into the computer, they can use the Sophos Self Service Portal, see Retrieve recovery key via Self Service Portal.
  • Users can start their computer with an external Mac startup disk and then use Terminal commands to unlock the disk.
  • Users can start their computer in target disk mode and then use Terminal commands to unlock the disk.
  • Users can start their computer with macOS Recovery and then use Terminal commands to unlock the disk.

    For information on working with Terminal commands, see Unlock HFS+ volumes with Terminal commands and Unlock APFS volumes with Terminal commands.

You can help users to regain access. These instructions tell you what the users will see and what they need to do. They must:

  1. Switch on the endpoint computer and wait until the Recovery key ID is displayed.
    The recovery key ID is displayed only for a few minutes. To display it again, users must restart their computer.
  2. Call the administrator and tell them the recovery key ID.
    You can give them the recovery key. For help on retrieving a key for one of your users, see the .
  3. Click the question mark icon in the Password field.
    A message is displayed.
  4. Click the arrow icon next to the message to switch to the recovery key field.
  5. Enter the recovery key.
    For users imported from Active Directory, you need to do the following extra steps:
    • Reset the existing password in Active Directory. Then generate a preliminary password and give it to the user.
    • Tell the user to click Cancel in the Reset Password dialog and enter the preliminary password instead.
  6. Follow the on-screen instructions to create a new password.
  7. If prompted, click Create New Keychain.
Users can access their computer's startup volume again.

On endpoints running macOS 10.12 or earlier, a new recovery key will be created and stored in Sophos Central. A recovery key can only be used once. If you need to recover a computer again later, you need to retrieve a new recovery key.

On endpoints running macOS 10.13 and Apple File System (APFS), no new recovery key is created. The existing recovery key remains valid.