What should be escrowed in MDM for resetting the password on a user's File Vault-encrypted Mac?

The correct choice is to escrow a personal recovery key when managing password resets on a user's FileVault-encrypted Mac. FileVault is a disk encryption program available in macOS, which uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to information on the startup disk.

When using FileVault, users are generally provided with a personal recovery key during the encryption setup. This recovery key is a crucial component of data recovery; it allows users to regain access to their data if they forget their password or if their account is otherwise inaccessible. By escrowing the personal recovery key in a Mobile Device Management (MDM) system, IT administrators can securely store it and retrieve it when necessary to assist users in resetting their passwords or recovering access to their encrypted disks.

In this scenario, having access to the personal recovery key means that administrators can help users regain access without needing to compromise the security of the data on the device. This underscores the important role of personal recovery keys in ensuring data security while also providing an avenue for recovery in a managed environment.