Posted on 08-07-2020 12:47 PM
I'm posting this in case others encountered this issue with bootstrap tokens on macOS 10.15. Particularly, we were running Jamf Pro 10.23.0 but were still seeing our devices show that tokens were not supported on the server.
Checking the status:sudo profiles status -type bootstraptoken
Results:
profiles: Bootstrap Token supported on server: NO
Our devices met all the requirements, namely:
1. Registered in Apple Business / School Manager
2. Enrolled via pre-stage enrollment.
3. Running macOS 10.15.4 or later.
4. Enrolled after Jamf was upgraded to 10.18.0
The issue was that an undocumented requirement (possibly a bug) is that the pre-stage enrollment must have the following option checked:
Prevent user from enabling Activation Lock
Once changed, we were able to fix existing devices by issuing the Remove MDM Profile command, then on the device enrolling again with the following command:
sudo profiles renew -type enrollment
Once the device re-enrolled the results showed as expected that the tokens were supported, and we were able to manually install the bootstrap token with the following command:
sudo profiles install -type bootstraptoken
Hopefully that helps someone else!
Posted on 09-15-2020 01:37 PM
THANKS KYLE, have been chasing my tail for the past 24 hours and was lucky enough to find your wisdom! +1 Beer at JNUC 2022 or whenever on prem conventions resume....
Posted on 10-16-2020 08:00 AM
This is great @kyle.erickson ! Thank you.
Is this something we need to do manually for all 10.15.x devices? Will we need to do the the sudo profiles install -type bootstraptoken for new/reprovisioned devices or will it be automagically be done?
Posted on 11-26-2020 07:51 AM
Why isn't the bootstrap token automatically coming down during enrollment if we do have the option checked: Prevent user from enabling Activation Lock?
On an M1 MacBook Air, attempting to enroll to Jamf 10.26 we see the following:
% sudo profiles status -type bootstraptoken
Password:
profiles: Bootstrap Token supported on server: YES
profiles: Bootstrap Token escrowed to server: NO
Posted on 02-23-2022 04:20 AM
To move the bootstrap token to the server side you need to do sudo profiles install -type bootstraptoken
Posted on 03-19-2021 08:54 AM
Sorry for the delayed response as I didn't have notifications enabled (my mistake).
@jwojda You might have to unenroll and re-enroll (not scriptable).
I am seeing on newer versions of Jamf (currently 10.26.1) that at least with macOS 11 even devices that aren't part of Apple's Automated Device Enrollment program are getting a token as well.
@jmariani I believe the token is escrowed automatically (possibly after a recon), but you can do the following to trigger it:
#!/usr/bin/env bash
profiles install -type bootstraptoken
You could use an extension attribute to check if it's present:
#!/usr/bin/env bash
export PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
# Checks on if the bootstrap token is supported and escrowed by MDM
# Validating minimum OS version for attribute (10.15.0 or later)
OSVersion=$(sw_vers -productVersion)
OSVersionMajor=$(echo $OSVersion | cut -d '.' -f 1)
OSVersionMinor=$(echo $OSVersion | cut -d '.' -f 2)
if [[ $OSVersionMajor -eq 10 ]] && [[ $OSVersionMinor -lt 15 ]]; then
echo "<result>Collected for macOS 10.15.0 or later</result>"
exit 0
fi
StatusBootstrapToken=$(profiles status -type bootstraptoken 2>/dev/null)
if [[ -n $StatusBootstrapToken ]]; then
Supported=$(echo $StatusBootstrapToken | awk '/supported/{print $NF}')
Escrowed=$(echo $StatusBootstrapToken | awk '/escrowed/{print $NF}')
if [[ "$Supported" == "YES" ]] && [[ "$Escrowed" == "YES" ]]; then
Result="Escrowed"
elif [[ "$Supported" == "YES" ]]; then
Result="Supported"
else
Result="Not Supported"
fi
fi
echo "<result>$Result</result>"
Posted on 06-10-2021 08:34 AM
Hey @kyle.erickson, thanks for that extension attribute but after implementing it I noticed a little mistake that needed to be fixed. When the profiles command is run in that script it seems to be interpreted as one line which means that AWK sets both of the "Supported" and "Escrowed" variables to the value of whatever the "Escrowed" variable is supposed to be. This means that it is impossible for "Result" to ever return a value of "Supported" when it is supposed to. I updated your extension attribute script below to use grep instead to fix this issue:
#!/usr/bin/env bash
export PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
# Checks on if the bootstrap token is supported and escrowed by MDM
# Validating minimum OS version for attribute (10.15.0 or later)
OSVersion=$(sw_vers -productVersion)
OSVersionMajor=$(echo $OSVersion | cut -d '.' -f 1)
OSVersionMinor=$(echo $OSVersion | cut -d '.' -f 2)
if [[ $OSVersionMajor -eq 10 ]] && [[ $OSVersionMinor -lt 15 ]]; then
echo "<result>Collected for macOS 10.15.0 or later</result>"
exit 0
fi
StatusBootstrapToken=$(profiles status -type bootstraptoken 2>/dev/null)
if [[ -n $StatusBootstrapToken ]]; then
Supported='supported on server: YES'
Escrowed='escrowed to server: YES'
if [[ "$StatusBootstrapToken" == *"$Supported"* ]] && [[ "$StatusBootstrapToken" == *"$Escrowed"* ]]; then
Result="Escrowed"
elif [[ "$StatusBootstrapToken" == *"$Supported"* ]]; then
Result="Supported"
else
Result="Not Supported"
fi
fi
echo "<result>$Result</result>"
Posted on 06-10-2021 09:38 AM
That's interesting and I'll investigate further. When I was testing manually it wasn't showing as single line (as searching for supported returned only one result, escrowed one result, and searching for server returned 2.
I don't have many devices without a secure token anymore as we're using a LAPS account to add one on all devices where missing, but I appreciate the heads up and change, especially if it helps others as well.
Posted on 06-10-2021 09:38 AM
Correction, without a bootstrap token anymore. Sigh.
Posted on 06-13-2021 07:46 PM
You may want to check what I have done here.
Posted on 03-13-2023 12:52 PM
Is there a specific solution in that thread you found useful?
Posted on 03-13-2023 05:35 PM
I actually posted in that thread, the link is supposed to take you to it, however it seems the page no longer wants to do that.
Posted on 09-30-2021 07:25 AM
Are there any other suggestions as to why a computer might not escrow its Bootstrap Token at enrollment? We have met all of the conditions listed by the OP, including "Prevent user from enabling Activation Lock" and yet our M1 MacBook Airs are still not showing up in JAMF with a Bootstrap Token in Escrow.
Yes, we can script it to escrow after the fact, but it would be nice if they did it the first time around, instead.
Posted on 09-30-2021 07:31 AM
I've noticed if I have 'Make the Admin account MDM enabled' ticked in the prestage enrolment, a bootstrap token isn't escrowed until the Admin account logs-in to the machine. Then suddenly its escrowed. Not sure if just 'any' account needs to log-in or only the Admin account. But after device deployment, as long as no account has logged-in yet, the device appears to have no bootstrap token escrowed. And it appears to stay like that until someone logs in. Only just started noticing this on a newly deployed lab of Apple Silicon iMacs (via ADE) that have a status of Bootstrap token escrowed = NO. Yay fun times.
Posted on 09-30-2021 07:34 AM
Hmm. Well this current test machine has not been logged in, but I planned to log in as a user created via the "Create Account" policy rather than the admin account created by enrollment. I guess I can check to see if that triggers the escrow.
I expect not, but it definitely defeats the purpose of minimal touch if we have to log in as the admin just to get the bootstrap token into escrow.
Posted on 10-01-2021 08:25 AM
It looks like logging in as a standard user after deployment does not successfully escrow the bootstrap token.
Posted on 10-01-2021 01:18 PM
My understanding is that once a device knows it can escrow the token, it will do so after an existing user with a token signs in. There is an MDM command that is sent to devices that you can see in the history called "Settings - Bootstrap Token Allowed". On devices where it is missing, there is also a "Set Activation Lock" MDM command you can send where you can configure it to Disable and prevent Activation Lock.
That said, I can't say for sure if there is any other requirements as we currently are using a script to escrow the token automatically on our devices by using the password of an existing admin account with a secure token.
Posted on 10-04-2021 11:43 AM
I ended up having to code a "profiles install -type bootstraptoken" command, which did ultimately, successfully escrow the token, but it seems excessive to have to specifically tell a computer that's been enrolled via DEP to escrow it's token. That should, in my opinion, be assumed when dealing with an MDM solution. I wouldn't be using JAMF if I wanted to touch/log-in to every computer just to ensure that it escrows it's token.
Posted on 01-18-2022 07:39 AM
Did you have to do anything special to install the bootstrap token, or just run that command in a policy on machine that didn't have it?
Posted on 01-18-2022 08:12 AM
Because it requires admin credentials, and is also a "call and response" command, I used an expect script. The policy does have to receive the admin credentials in some manner. In the basic version, I just used the script parameters within Jamf, but for better security, you could do things like create a temporary admin, use a hidden admin with rotating credentials, or other such options.
#! /usr/bin/expect
# Get required variables. Note that in EXPECT scripts, the variable arguments are one value lower (thus $argv 3 is actually $4).
set adminName "[lindex $argv 3]"
set adminPass "[lindex $argv 4]"
#This will create and escrow the bootstraptoken on the Jamf Pro Server
spawn /usr/bin/profiles install -type bootstraptoken
expect "Enter the admin user name:"
send "$adminName\r"
expect "Enter the password for user '$adminName':"
send "$adminPass\r"
expect eof
exit 0
Posted on 08-12-2022 03:19 AM
This worked!
Posted on 01-18-2022 09:39 AM
My script is long and does several things to validate if a bootstrap token is required, if our administrator account is there, has a secure token, etc., but once that's done to install the token I'm just using this:
echo "[Information] Attempting to add a bootstrap token ..."
profiles install -type bootstraptoken -user $LAPSAccountName -password $LAPSPassword
Posted on 06-02-2022 01:21 PM
Thanks for this, we were having issues FileVault encrypting a small population of our Macs and using your instructions helped us get them encrypted! : )
Posted on 06-21-2022 01:02 AM
hi friend.
I would like to know how running the command sudo profiles install -type bootstraptoken can prevent the user from participating in it.
Can it be done through a script?
Posted on 06-21-2022 02:25 AM
It can be done by script but you'll have to send credentials through the script and that is not security wise.
Basically the bootstraptoken is attached to the first login of the equipment, to send to the bootstraptoken to the server side the user who has the bootstraptoken needs to be admin and then run that command to send it to the MDM in order to update remotely.
Posted on 06-21-2022 02:34 AM
Hi, thank you very much for your reply friend.
My client needs to use kernel reboot when using security tools. This problem is common on M1 devices.
The registration they use is manual and the jamf pro version is: 10.37.2.
When the M1 device reinstalls the system, registration is performed. I was on jamf pro and found that the bootstraptoken was not hosted on the server. It is the administrator I confirmed.
I would like to push the script to the device via JAMF, but I test the script I found today.
It doesn't actually work. Do you have a similar one?
Sending the credentials through the script allows me to let the customer to evaluate if this works.
Posted on 06-21-2022 03:21 AM
We have JAMF School instead of JAMF Pro, but Pro is way better with a lot more features.
I do not have a script because, as said previously, we do not want credentials hard coded in script that can be easily accessed. Since we have a small number of devices and we have to manually upgrade them to Monterey to fix the MDM upgrade issue we are going to do the bootstraptoken manually aswell. Check the answer from @kacey3 on @snowfox thread, that looks promising !
Posted on 07-17-2023 04:59 AM
We don't use pre-stage enrollment for classroom computers. Has anyone been successful in getting bootstrap tokens to work via user-initiated enrollment?
Posted on 07-17-2023 08:17 AM
Yes, it should work after the device is enrolled and a user with a secure token logs in. We have a workflow right now though to create and grant an administrative user a secure token, and we're using that account with the commands I originally put above to add the bootstrap token. That said, you really need to look at getting your devices into Apple School/Business Manager and using a pre-stage. There are quite a few things that are more challenging without it.