Skip to main content

Can someone help me out creating a way to automate this manual solution process? (Full story found in Macadmins Slack)

Issue: On many computers I find that after I type 

 

sudo profiles status -type bootstraptoken

 

it echo's back:

 

profiles: Bootstrap Token supported on server: YES
profiles: Bootstrap Token escrowed to server: YES

 

I proceed with typing:

 

diskutil apfs listCryptoUsers /

 

 

 

I verify that ALL users are Volume Owners. Good right? NO. Finally I type:

 

 

sudo profiles validate -type bootstraptoken

 

It echos back:

 

profiles: Bootstrap Token supported on server: NO

 


Manual solution: I need to go onto each computer and type

 

sudo profiles validate -type bootstraptoken -user INSERTUSR -pass INSERTPW

 

 and then identify that the echo'd line says "NO":

 

profiles: Bootstrap Token supported on server: NO

 

Once identifying is complete and found a 'NO', I type:

 

sudo profiles remove -type bootstraptoken -user INSERTUSR -pass INSERTPW

 

What echo's back is 

 

profiles: Bootstrap Token clearing on server...
profiles: Unable to clear Bootstrap Token (500)
profiles: Error returned = 500

 

I checked the current status:

 

sudo profiles status -type bootstraptoken

 

it echo's back:

 

profiles: Bootstrap Token supported on server: YES
profiles: Bootstrap Token escrowed to server: NO

 

I proceeded with logging out and logging back in (not a restart) and then typed:

 

sudo profiles status -type bootstraptoken

 

 It Echos back:

 

profiles: Bootstrap Token supported on server: YES
profiles: Bootstrap Token escrowed to server: YES

 

I go a step further because I needed to in the past to TRULY validate the Bootstrap token: 

 

sudo profiles validate -type bootstraptoken -user INSERTUSR -pass INSERTPW

 

 and it echos back:

 

profiles: Bootstrap Token escrowed on server: YES
profiles: Bootstrap Token validated.

 

Could create an extension attribute for the bootstrap token:

#!/usr/bin/env bash

export PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin



# Checks on if the bootstrap token is supported and escrowed by MDM



# Validating minimum OS version for attribute (10.15.0 or later)

OSVersion=$(sw_vers -productVersion)

OSVersionMajor=$(echo $OSVersion | cut -d '.' -f 1)

OSVersionMinor=$(echo $OSVersion | cut -d '.' -f 2)

if [[ $OSVersionMajor -eq 10 ]] && [[ $OSVersionMinor -lt 15 ]]; then

    echo "<result>Collected for macOS 10.15.0 or later</result>"

    exit 0

fi





StatusBootstrapToken=$(profiles status -type bootstraptoken 2>/dev/null)



if [[ -n $StatusBootstrapToken ]]; then

    Supported='supported on server: YES'

    Escrowed='escrowed to server: YES'

    if [[ "$StatusBootstrapToken" == *"$Supported"* ]] && [[ "$StatusBootstrapToken" == *"$Escrowed"* ]]; then

        Result="Escrowed"

    elif [[ "$StatusBootstrapToken" == *"$Supported"* ]]; then

        Result="Supported"

    else

        Result="Not Supported"

    fi

fi



echo "<result>$Result</result>"


Then if it's not could just automatically install it again:

#!/usr/bin/env bash

profiles install -type bootstraptoken

 

Reply


Terms & ConditionsCookie settings