First, you'll need to to go to
Settings -> Computer Management -> Disk Encryption Configurations and create a configuration.
We use Individual Recovery Keys, as Institutional will give each computer the same key. If it gets cracked or otherwise figured out, all of our computers' encryption would be essentially useless.
After this you need to create a policy to enable FileVault. Once this policy is applied, the key will be stored in the device record.
My understanding is it has to be managed with a disk encryption profile OR a configuration profile and then deployed with a policy.