Question

Ensuring Bootstrap Tokens are Enabled and Functional on macOS 10.15 or above

Forum|Forum|5 years ago
August 7, 2020
28 replies
554 views

+8

kyle_erickson
Contributor

I'm posting this in case others encountered this issue with bootstrap tokens on macOS 10.15. Particularly, we were running Jamf Pro 10.23.0 but were still seeing our devices show that tokens were not supported on the server.

Checking the status:
sudo profiles status -type bootstraptoken

Results:
profiles: Bootstrap Token supported on server: NO

Our devices met all the requirements, namely:
1. Registered in Apple Business / School Manager
2. Enrolled via pre-stage enrollment.
3. Running macOS 10.15.4 or later.
4. Enrolled after Jamf was upgraded to 10.18.0

The issue was that an undocumented requirement (possibly a bug) is that the pre-stage enrollment must have the following option checked:

Prevent user from enabling Activation Lock

Once changed, we were able to fix existing devices by issuing the Remove MDM Profile command, then on the device enrolling again with the following command:

sudo profiles renew -type enrollment

Once the device re-enrolled the results showed as expected that the tokens were supported, and we were able to manually install the bootstrap token with the following command:

sudo profiles install -type bootstraptoken

Hopefully that helps someone else!

Show first post

1
2

Forum|pagination.label 2 / 2

+9

wakco11
Valued Contributor
Forum|Forum|2 years ago
March 14, 2023

Is there a specific solution in that thread you found useful?

I actually posted in that thread, the link is supposed to take you to it, however it seems the page no longer wants to do that.

Like

S

+7

SFRANCIS004
Contributor
Forum|Forum|2 years ago
July 17, 2023

We don't use pre-stage enrollment for classroom computers. Has anyone been successful in getting bootstrap tokens to work via user-initiated enrollment?

Like

K

+8

kyle_erickson
Author
Contributor
Forum|Forum|2 years ago
July 17, 2023

We don't use pre-stage enrollment for classroom computers. Has anyone been successful in getting bootstrap tokens to work via user-initiated enrollment?

Yes, it should work after the device is enrolled and a user with a secure token logs in. We have a workflow right now though to create and grant an administrative user a secure token, and we're using that account with the commands I originally put above to add the bootstrap token. That said, you really need to look at getting your devices into Apple School/Business Manager and using a pre-stage. There are quite a few things that are more challenging without it.

Like

1
2

Forum|pagination.label 2 / 2

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded