Help

Bootstrap Token Escrowed but New Users Not Granted Secure Token

eaititig
New Contributor III

Sunday

I've noticed recently that a number of our brand new deploy machines are getting their bootstrap token escrowed properly but when the user logs on for the first time, they're not getting a secure token -- meaning we have to then manually grant a secure token using a known account which has one.

Any ideas why JAMF isn't issuing secure tokens to new users?

 

Reply
3 REPLIES 3

AJPinto
Esteemed Contributor

yesterday

Bootstrap Token ≠ Secure Token, and Jamf does not have the capability to grant Secure Tokens to users by design of Apples framtworks, macOS does this in and of itself.

How to issue Secure Tokens:

  • The first account to log in to macOS will automatically be issued a Secure Token.
  • Admin accounts are issued Secure Tokens as they log in, even if they are not the first account to log in.
  • Standard accounts must be manually granted a Secure Token if they are not the first account to log in to macOS.

Note: You cannot use a Bootstrap Token to generate a Secure Token. Only an account with a Secure Token, can give another account a Secure Token. The general concept of Secure Tokens is to in fact limit Bootstrap Tokens functionality.

0 Kudos
Reply

eaititig
New Contributor III

yesterday

Errr ... the whole point of a Bootstrap Token is to grant a Secure Token to the user.

See the definition of Bootstrap Token:-

"An MDM-based feature that automatically provides a secure token on all mobile accounts. Specifically, a bootstrap token is used to help with granting a secure token to both mobile accounts and to the optional device enrolment-created administrator account (“managed administrator”). In macOS 11 or later, the bootstrap token can grant a secure token to any user logging in to a Mac computer, including local user accounts."

 

0 Kudos
Reply

AJPinto
Esteemed Contributor
In response to eaititig

yesterday

Bah, I crossed bootstrap token and root. Mobile Accounts require domain binding, most people don't do that anymore and I honestly was not thinking about that. However, yes if you domain bind every mobile account should bet a Secure Token.

 

That article does tell you what MDM can do with Secure Tokens all though not very clearly. MDM can deploy OS updates and use the Erase All Contents and Setting Command. MDM cannot grant users Secure Tokens, Secure Tokens are granted through the methods I mentioned before.

 

For a Mac with macOS 11 or later, the bootstrap token may also be used for more than just granting secure tokens to existing user accounts. On a Mac computer with Apple silicon, the bootstrap token—if available and when managed using MDM—can be used to:

For a Mac with macOS 10.15.4 or later, when a user who is secure token enabled logs in for the first time, a bootstrap token is generated and escrowed to MDM. A bootstrap token can also be generated and escrowed to MDM using the profiles command-line tool, if needed.

  • Create new users when they first log in with Platform SSO (macOS 13 or later).

  • Silently authorize an Erase All Content and Settings MDM command (macOS 12.0.1 or later).

  • Authorize the installation of software updates.

 

 

0 Kudos
Reply