Skip to main content

As I have been deploying an update script (erase-install) for users to upgrade to Ventura, I have begun to notice that some users are not Volume Owners and therefore unable to perform the upgrade themselves.

Some background:

  • This does not occur on all machines, approximately 5% of them.
  • All of the machines in question were initially set up with a local admin user, then added to Jamf via the user-initiated enrollment process.
  • The machines are all AD binded
  • The non-volume owner users in question are mobile accounts that are created after all of the above takes place.

One interesting thing I noticed all of the affected machines have in common is that they all list the non-volume owners as not having FileVault 2 enabled. However, the local admin account as well as every other account on every Jamf enrolled machine in our inventory, lists FileVault 2 as being enabled  - even though FileVault is not turned on an any of those machines. I'm not sure if FileVault Enabled: Yes (Admin Center) = FileVault On (Mac), but none of them are actually On. The No indicator for FileVault  is one thing all of the affected users have in common.

I'm not sure why the users are not being created as Volume Owners, and I was unable to find any information as to how to possibly make these users Volume Owners, which I need to do. We are scheduled to begin using Jamf Connect in the next couple of months which I'm hoping will streamline our process, but I'm hoping to both resolve this issue and prevent it from happening in the interim.

I did find posts from folks experiencing a similar issue, but nothing in terms of a solution:

https://community.jamf.com/t5/jamf-pro/unable-to-update-m1s-to-ventura/m-p/279596

https://community.jamf.com/t5/jamf-nation/software-update-failing-quot-you-need-to-be-the-owner-to-install/m-p/262048

Thanks in advance for any insight or help.

Is the Bootstrap Token escrowed on these devices?

Is the Bootstrap Token escrowed on these devices?


On the latest machine I found with the issue, I did run:

sudo profiles install -type bootstraptoken

but that didn't resolve the issue of the already created mobile user account not being a Volume Owner.

However, in hindsight, I suppose I should have first checked the status by running:

sudo profiles status -type bootstraptoken

 I can look at one of the other machines this week to see the status. But why would the the token not be escrowed through Jamf on these machines?

On the latest machine I found with the issue, I did run:

sudo profiles install -type bootstraptoken

but that didn't resolve the issue of the already created mobile user account not being a Volume Owner.

However, in hindsight, I suppose I should have first checked the status by running:

sudo profiles status -type bootstraptoken

 I can look at one of the other machines this week to see the status. But why would the the token not be escrowed through Jamf on these machines?


Generally, the Bootstrap token gets automatically uploaded during login from a user that has a Secure Auth Token.  Mobile Accounts generally don't have one by default, so there's a chance that's what caused your issue.

The good news is that once the token has been uploaded, it'll provide Secure Auth and Volume Ownership during the login step on the machines going forward.

Generally, the Bootstrap token gets automatically uploaded during login from a user that has a Secure Auth Token.  Mobile Accounts generally don't have one by default, so there's a chance that's what caused your issue.

The good news is that once the token has been uploaded, it'll provide Secure Auth and Volume Ownership during the login step on the machines going forward.


I was able to test on another machine, and yes, you're absolutely right about the tokens being escrowed to all users after running the install command.

I first checked the status of the token:

sudo profiles status -type bootstraptoken

Results:

profiles: Bootstrap Token supported on server: YES
profiles: Bootstrap Token escrowed to server: NO

Next I ran the install command:

sudo profiles install -type bootstraptoken

Checked again using the status command, and got these results:

profiles: Bootstrap Token supported on server: YES
profiles: Bootstrap Token escrowed to server: YES

Once the user logged in again, I could see within Jamf Admin that the user was now a Volume Owner User.

This also changed their Filevault 2 Enabled status to Yes, which I still don't quite understand because that is not turned On. But that is a question for another day and another thread.

 

I was able to test on another machine, and yes, you're absolutely right about the tokens being escrowed to all users after running the install command.

I first checked the status of the token:

sudo profiles status -type bootstraptoken

Results:

profiles: Bootstrap Token supported on server: YES
profiles: Bootstrap Token escrowed to server: NO

Next I ran the install command:

sudo profiles install -type bootstraptoken

Checked again using the status command, and got these results:

profiles: Bootstrap Token supported on server: YES
profiles: Bootstrap Token escrowed to server: YES

Once the user logged in again, I could see within Jamf Admin that the user was now a Volume Owner User.

This also changed their Filevault 2 Enabled status to Yes, which I still don't quite understand because that is not turned On. But that is a question for another day and another thread.

 


we have also been sturggling with this in our enviorment I confused by this 

"I could see within Jamf Admin that the user was now a Volume Owner User" is this record somewhere as I can find it within a computer record

we have also been sturggling with this in our enviorment I confused by this 

"I could see within Jamf Admin that the user was now a Volume Owner User" is this record somewhere as I can find it within a computer record


Hi @tdenton,

I found a wonderful Extension Attribute script written by bp88 that allows me to see Volume Owners on an Apple Silicon machine.

You can find it here: https://github.com/bp88/Jamf-Pro-Extension-Attributes/blob/master/Volume%20Owner%20Users.sh 

Reply


Terms & ConditionsCookie settings