## Summary - Cherry-picks the changes from #41677 onto `main`. - Adds the Recovery Lock password guide (`articles/recovery-lock-password.md`) which documents how to set, view, and rotate recovery lock passwords on Apple Silicon Macs with Fleet MDM. **Original PR:** #41677 --- Built for [Rachael Shaw](https://fleetdm.slack.com/archives/D0AFC5BRFHD/p1775223366494299) by [Kilo for Slack](https://kilo.ai/features/slack-integration) --------- Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com> Co-authored-by: Rachael Shaw <r@rachael.wtf>
4.1 KiB
Recovery lock password
Available in Fleet Premium
Fleet can set a recovery lock password on Apple Silicon Macs enrolled in Fleet MDM. This password lets IT admins unlock a device at the recoveryOS screen if the end user forgets their local password or the device needs to be recovered.
Fleet automatically generates, encrypts, and stores the password server-side. Admins can view or rotate it from the Fleet UI or API.
Prerequisites
- macOS host with Apple Silicon (ARM)
- Host enrolled in Fleet MDM
- Fleet Premium license
Enable recovery lock password
UI
- Go to Controls > OS settings > Passwords.
- Select your desired fleet from the dropdown
- Check Turn on Recovery Lock password.
- Click Save
Fleet will begin setting passwords on eligible hosts automatically in the current fleet. Progress appears in each host's OS settings status.
fleetctl
Add enable_recovery_lock_password: true under the mdm key in your fleet or unassigned (global) YAML config:
mdm:
enable_recovery_lock_password: true
Then apply:
fleetctl apply -f config.yml
API
For unassigned hosts:
PATCH /api/latest/fleet/config
{
"mdm": {
"enable_recovery_lock_password": true
}
}
For a specific fleet:
PATCH /api/latest/fleet/fleets/{fleet_id}
{
"config": {
"mdm": {
"enable_recovery_lock_password": true
}
}
}
View the password
- Go to the Host details page for a macOS host.
- Click Actions > Show recovery lock password.
- The password is displayed in the modal.
This action is logged as a activities visible on the host's and the global activity feed.
API
GET /api/latest/fleet/hosts/{id}/recovery_lock_password
Response:
{
"host_id": 42,
"recovery_lock_password": {
"password": "A3B7-C9D2-E5F8-G4H6-J2K9-L7M3",
"updated_at": "2026-03-12T10:30:00Z"
}
}
Rotate the password
Rotation generates a new password and pushes it to the device via an MDM command.
- Go to the Host details page for a macOS host.
Then either:
- Click Actions > Show recovery lock password.
- Click Rotate password.
or:
- Click on the *OS settings indicator in the host summary card.
- Hover over the Recovery Lock password row
- Click "Rotate"
Requires maintainer role or higher.
API
POST /api/latest/fleet/hosts/{id}/recovery_lock_password/rotate
Status tracking
Recovery lock password status appears alongside other OS settings on the host details page. Possible statuses:
| Status | Meaning |
|---|---|
| Verified | Fleet set a recovery lock password for the host. |
| Enforcing (pending) | Fleet is setting a recovery lock password for the host. |
| Removing enforcement (pending) | Fleet is unsetting the recovery lock password for the host. |
| Failed | Fleet failed to set a recovery lock password for the host. |
Disable recovery lock password
Turn off the setting using the same path as enabling (UI, fleetctl, or API). Fleet will send a clear command to remove the password from enrolled hosts.
How it works
- Password format: 6 groups of 4 alphanumeric characters separated by dashes (e.g.,
A3B7-C9D2-E5F8-G4H6-J2K9-L7M3). Characters that look similar (0/O, 1/I/l) are excluded for readability. - Encryption: Passwords are encrypted with AES-256 using the server's private key before storage. They are never stored in plaintext.
- Secret injection: Passwords are injected into MDM commands at delivery time using placeholder expansion, so plaintext passwords never appear in the command queue.
- Activities: Fleet logs activities when a password is set, rotated, or viewed, and when the feature is enabled or disabled for a fleet. These appear on the host's activity timeline and in the global activity feed.