Manually Leveraging Apple's Bootstrap Token Functionality

Updated: 19 August 2022

Product: Jamf Pro

Bootstrap Token eliminates the need to request additional authentication information when a network user logs in to a computer with a mobile account and the account does not have a SecureToken associated with it. Jamf Pro can automatically escrow Bootstrap Tokens sent by computers with macOS 10.15 or later enrolled using a PreStage enrollment that has been configured with the local user account on the computer as the administrator.

If the local user account is not configured as the administrator or the computer was enrolled prior to Jamf Pro 10.18.0, you can manually create and escrow the Bootstrap Token on the computer to allow Jamf Pro to store the token.

Note:

If a PreStage enrollment is configured to create an additional local administrator account during enrollment, that account is also eligible to receive the Bootstrap Token when it logs in to a computer.

After the Bootstrap Token is escrowed, it is requested from Jamf Pro any time a mobile account without a SecureToken logs into a computer. The computer then uses the Bootstrap Token to automatically generates a SecureToken for the mobile account. After the user is issued a SecureToken, their account can be used for macOS services that require cryptographic privileges, such as FileVault authentication.You can manually verify that Jamf Pro has escrowed Boostrap Tokens after the computer enrolls with Jamf Pro.

Note:

Bootstrap Tokens are also used to authorize kernel extensions and software updates on Mac computers with Apple silicon.

Creating and Escrowing the Bootstrap Token

Requirements

Computers with macOS 10.15 or later enrolled with Jamf Pro 10.18.0 or later via a PreStage enrollment
Note:
If a computer was enrolled prior to Jamf Pro 10.18.0, you must upgrade to Jamf Pro 10.19.0 or later.
Administrator account with SecureToken
Note:
This account is generally the first account created in the Setup Assistant, or the first administrator to log in to the computer. For more information about managing SecureToken status, see the following article from Apple's support website:
Using command-line tools

If the Local User Account Type settings in the Account Settings payload of the PreStage enrollment was configured with the Skip Account Creation or the Standard Account option, do the following:

Enable the administrator account on target computers by logging in to the enrolled computer as the SecureToken-enabled administrator and executing the following command:
```
sudo profiles install -type bootstraptoken
```
When prompted, enter the username and password.

Verifying Jamf Pro Has Escrowed a Bootstrap Token

You can log in to the computer as the administrator and execute the following command to ensure that Jamf Pro has escrowed the Bootstrap Token:

sudo profiles status -type bootstraptoken

If Jamf Pro has escrowed the Bootstrap Token, the following is returned:

profiles: Bootstrap Token is supported on server: YES
profiles: Bootstrap Token escrowed on server: YES

Additional Information

For more information about the Bootstrap Token on macOS, see the following resources from Apple's Apple Platform Deployment:

For more information about using the bootstrap token to manage software updates, see Managing software updates for Apple devices in Apple Platform Deployment.