SEE FileVault can manage the recovery keys for macOS systems that are encrypted with FileVault. When a Personal Recovery Key is configured, the SEE FileVault client will upload this to the SEE Management Server. This is a critical component for recovery.
If a user forgets the passphrase, and SEE FileVault was used, the end user can call helpdesk and can provide a recovery key to unlock the system and configure a new macOS password.
For information on how to install the SEE FileVault client, see article X.
For information on how to use a Symantec Encryption Management Server Helpdesk recovery, see article X.
This article goes through the flow.
See the following articles for additional information related to this topic:
First, when a system is encrypted, the system does not look or behave much differently than a non-encrypted system. However, if you have encrypted the system, you’ll have some additions:
In the above screenshot, click the little arrow icon above.
TIP: If you don't see the option to enter a recovery key, click the Question Mark "?" icon in the login field and see if this will help you proceed.
Next, the Recovery Key
Once the recovery key is entered, you will be prompted to enter a new password to reset the macOS password for the user. Note that this will only work for a local user account. You cannot reset an Active Directory account with a recovery key. This is the case whether or not Endpoint Encryption is installed:
Once the password has been entered, and the user logs in, a new Personal Recovery Key will be generated and SEE FileVault will prompt the user for the new password entered, and this new PRK will then be sent to the Symantec Encryption Management Server:
As is mentioned in the screenshot above, it is very important for the user to enter the macOS password. If this is not entered, no Personal Recovery Key will be sent to the SEE Management Server, which will prevent further recovery from happening. It is highly recommended for the end user to enter the passphrase here.