+5I've noticed recently that a number of our brand new deploy machines are getting their bootstrap token escrowed properly but when the user logs on for the first time, they're not getting a secure token -- meaning we have to then manually grant a secure token using a known account which has one.
Any ideas why JAMF isn't issuing secure tokens to new users?
+26Bootstrap Token ≠ Secure Token, and Jamf does not have the capability to grant Secure Tokens to users by design of Apples framtworks, macOS does this in and of itself.
How to issue Secure Tokens:
Note: You cannot use a Bootstrap Token to generate a Secure Token. Only an account with a Secure Token, can give another account a Secure Token. The general concept of Secure Tokens is to in fact limit Bootstrap Tokens functionality.
+5Errr ... the whole point of a Bootstrap Token is to grant a Secure Token to the user.
See the definition of Bootstrap Token:-
"An MDM-based feature that automatically provides a secure token on all mobile accounts. Specifically, a bootstrap token is used to help with granting a secure token to both mobile accounts and to the optional device enrolment-created administrator account (“managed administrator”). In macOS 11 or later, the bootstrap token can grant a secure token to any user logging in to a Mac computer, including local user accounts."
+26Errr ... the whole point of a Bootstrap Token is to grant a Secure Token to the user.
See the definition of Bootstrap Token:-
"An MDM-based feature that automatically provides a secure token on all mobile accounts. Specifically, a bootstrap token is used to help with granting a secure token to both mobile accounts and to the optional device enrolment-created administrator account (“managed administrator”). In macOS 11 or later, the bootstrap token can grant a secure token to any user logging in to a Mac computer, including local user accounts."
Bah, I crossed bootstrap token and root. Mobile Accounts require domain binding, most people don't do that anymore and I honestly was not thinking about that. However, yes if you domain bind every mobile account should bet a Secure Token.
That article does tell you what MDM can do with Secure Tokens all though not very clearly. MDM can deploy OS updates and use the Erase All Contents and Setting Command. MDM cannot grant users Secure Tokens, Secure Tokens are granted through the methods I mentioned before.
For a Mac with macOS 11 or later, the bootstrap token may also be used for more than just granting secure tokens to existing user accounts. On a Mac computer with Apple silicon, the bootstrap token—if available and when managed using MDM—can be used to:
For a Mac with macOS 10.15.4 or later, when a user who is secure token enabled logs in for the first time, a bootstrap token is generated and escrowed to MDM. A bootstrap token can also be generated and escrowed to MDM using the
profilescommand-line tool, if needed.
Create new users when they first log in with Platform SSO (macOS 13 or later).
Silently authorize an Erase All Content and Settings MDM command (macOS 12.0.1 or later).
Authorize the installation of software updates.
+5Yeah, I guess it’s just unreliable. I’ll just have to check when the user logs in for the first time to ensure they receive a secure token. So many admins I talk to (myself included) hate secure tokens and end up spending more time fixing issues than they’re worth.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.