Skip to main content
Question

Bootstrap Tokens and Secure Tokens

  • January 21, 2026
  • 2 replies
  • 194 views
P
Forum|alt.badge.img+4

We are currently using a pre-stage created managed account and the LAPS process for passwords on that account. Since we use Jamf Connect, we have ‘skip account creation step’ turned on.

I am finding that this account is not getting the bootstrap token escrowed or a secure token after MDM enrollment. 

Is this intended? How can I change this? 

Ideally, I’d like to have a hands off option that doesn’t require a manual installation so that we always have the bootstrap token escrowed and a secure token on our managed account. 

What am I missing in this step? I am finding when we do need to use the local admin account, it’s not able to take some actions, like install a new OS.

2 replies

h1431532403240
Forum|alt.badge.img+6

Yes, this is expected behavior.

Why it can't install macOS: On Apple silicon Macs, installing macOS updates requires the account to be a volume owner. Volume ownership is granted along with the secure token. Since your managed admin doesn't have a secure token, it's not a volume owner and cannot authorize macOS installations.

Why no secure token: The managed admin created by PreStage exists before any user logs in. Secure tokens are only granted to the first user who completes Setup Assistant — which is the Jamf Connect-created user. The bootstrap token is escrowed at that point.

Solution: After the Jamf Connect user logs in (which escrows the bootstrap token), have your managed admin log in once interactively. macOS will automatically request the bootstrap token from Jamf Pro, grant the secure token, and make the managed admin a volume owner — allowing it to install macOS updates.

Reference: Use secure token, bootstrap token, and volume ownership in deployments

P
Forum|alt.badge.img+4
  • Phinull_Girl
  • Author
  • Contributor
  • February 20, 2026

Yes, this is expected behavior.

Why it can't install macOS: On Apple silicon Macs, installing macOS updates requires the account to be a volume owner. Volume ownership is granted along with the secure token. Since your managed admin doesn't have a secure token, it's not a volume owner and cannot authorize macOS installations.

Why no secure token: The managed admin created by PreStage exists before any user logs in. Secure tokens are only granted to the first user who completes Setup Assistant — which is the Jamf Connect-created user. The bootstrap token is escrowed at that point.

Solution: After the Jamf Connect user logs in (which escrows the bootstrap token), have your managed admin log in once interactively. macOS will automatically request the bootstrap token from Jamf Pro, grant the secure token, and make the managed admin a volume owner — allowing it to install macOS updates.

Reference: Use secure token, bootstrap token, and volume ownership in deployments

 

I appreciate the reply, but this has not been working in practice. 

The first user logs in via Jamf Connect using our SSO. That user is an admin because they are in a group that allows for it. They do not get a securetoken, but Jamf shows the bootstrap token is escrowed. 

Then, I log in using the prestage admin account. It also is not being granted the secure token.

Now, no one has a secure token despite having a first logged in user, but the bootstrap is escrowed.

We do prevent filevault from being enabled.
 

Terms & ConditionsCookie settingsAccessibility statement