@mdmike
In simpler terms you have three options when forcing file vault for your computers:
(1) Institutional Recovery Key (the IT department holds the code)
(2) Institutional & Personal (the IT department holds the code & the user of the device)
(3) Personal (user only holds the code)
From what it sounds like you want the IT department to hold the code. It is as simple as pushing out the following configuration and entering a password:
If you ever need to decrypt a device you will use the instructions in this article here. Basically, you are using the downloaded recovery certificate from that configuration above.
From a security standpoint, this is very secure. Yes, the same certificate can be used to unlock the device, but nobody besides IT should ever have access to this certificate. If this is a big concern you could push out individual profiles to each device.
I hope that helps clarify things,
Jared
Did this help? Click the kudos (the up arrow) button.
Find this helpful? Click the kudos button. Thanks!