Posted on 11-13-2023 12:04 PM
Evening All
I have spent the best part off 3 months backwards and forwards with jamf support. Over why bootstrap tokens don't always get escrowed back to jamf pro during our enrollment process.
My team off 3, have manual been through our 300 labs devices, to tidy up any machines that dont have a bootstrap token escrowed to Jamf.
We did setup and extension attribute to try populate a smart group but this wasn't very reliable. It does seem this information isn't getting back to jamf during a inventory update.
I'm still no closer in finding the root cause. As anyone else experienced this type of issue?
I'm also after a script to create bootstrap token on the fly. As I'm moving onto sorting out our staff Devices next and don't want to recall them if I can help it.
Thanks in advance
Tom
Posted on 11-14-2023 06:33 AM
Bootstrap tokens are generally escrowed when the device is enrolled in JAMF, preferably by Automated Device Enrollment. Are you having issues with Macs that you reimage?
I don't think there is a way to script giving an MDM a bootstrap token. That process happens with the quick add package, and the MDM workflows. Though Secure Tokens are where Apple is taking everything now.
11-14-2023 06:39 AM - edited 11-14-2023 06:40 AM
yes we are using Automated Device Enrollment and a pre stage.
We use depnotify for our build process.
My scripting isnt up to much. Anyone on her been able script something to re genrate these tokens on the fly? I didnt think quick add packges were a thing anymore.
Posted on 11-14-2023 06:44 AM
QuickAdd packages are still used during enrollment. Unfortunately, we can't use them anymore.
Have you tried running sudo profiles install -type bootstraptoken?
Posted on 11-14-2023 06:53 AM
yep thats what I have been using to fix my lab devices there easy to get to as they normal fixed in a lab.
I was hoping to script something for staff devices which arent easy to get hold off.
I find shocking that you cant report easily on weather the device has a bootstrap token in the first place. Currently using an extension attribute but it doesnt seem pulling back the info into the smart group
Posted on 11-15-2023 05:43 AM
The EA will need a recon to read and report correctly, then a smart group looking at the results of that EA will be correct.
I get the occasional Mac that fails to sort the Bootstrap out, and I log in and run the command to re-install it. It is so few that I havent bothered to try and sort out any automated way, other than making rure there are plenty of inventory updates / recon in my initial set up that I catch them as they appear and can fix them.
Posted on 11-18-2023 12:48 AM
Recon appears to be happen but it's not updating the smart group. Been back and forward with jamf for 3 months now.