Manually Leveraging Apple's Bootstrap Token Functionality
Bootstrap Token eliminates the need to request additional authentication information when a network user logs in to a computer with a mobile account and the account does not have a SecureToken associated with it. Jamf Pro can automatically escrow Bootstrap Tokens sent by computers with macOS 10.15 or later enrolled using a PreStage enrollment that has been configured with the local user account on the computer as the administrator.
If a PreStage enrollment is configured to create an additional local administrator account during enrollment, that account is also eligible to receive the Bootstrap Token when it logs in to a computer.
After the Bootstrap Token is escrowed, it is requested from Jamf Pro any time a mobile account without a SecureToken logs into a computer. The computer then uses the Bootstrap Token to automatically generates a SecureToken for the mobile account. After the user is issued a SecureToken, their account can be used for macOS services that require cryptographic privileges, such as FileVault authentication.You can manually verify that Jamf Pro has escrowed Boostrap Tokens after the computer enrolls with Jamf Pro.
Bootstrap Tokens are also used to authorize kernel extensions and software updates on Mac computers with Apple silicon.
Creating and Escrowing the Bootstrap Token
- Computers with macOS 10.15 or later enrolled with Jamf Pro 10.18.0 or later via a PreStage enrollmentNote:
If a computer was enrolled prior to Jamf Pro 10.18.0, you must upgrade to Jamf Pro 10.19.0 or later.
- Administrator account with SecureTokenNote:
This account is generally the first account created in the Setup Assistant, or the first administrator to log in to the computer. For more information about managing SecureToken status, see the following article from Apple's support website:
If the Local User Account Type settings in the Account Settings payload of the PreStage enrollment was configured with the Skip Account Creation or the Standard Account option, do the following:
Verifying Jamf Pro Has Escrowed a Bootstrap Token
You can log in to the computer as the administrator and execute the following command to ensure that Jamf Pro has escrowed the Bootstrap Token:
sudo profiles status -type bootstraptoken
If Jamf Pro has escrowed the Bootstrap Token, the following is returned:
profiles: Bootstrap Token is supported on server: YES
profiles: Bootstrap Token escrowed on server: YES
Additional Information
For more information about the Bootstrap Token on macOS, see the following resources from Apple's Apple Platform Deployment:
For more information about using the bootstrap token to manage software updates, see Managing software updates for Apple devices in Apple Platform Deployment.