Ensuring Bootstrap Tokens are Enabled and Functional on macOS 10.15 or above

kyle_erickson
New Contributor III

I'm posting this in case others encountered this issue with bootstrap tokens on macOS 10.15. Particularly, we were running Jamf Pro 10.23.0 but were still seeing our devices show that tokens were not supported on the server.

Checking the status:
sudo profiles status -type bootstraptoken

Results:
profiles: Bootstrap Token supported on server: NO

Our devices met all the requirements, namely:
1. Registered in Apple Business / School Manager
2. Enrolled via pre-stage enrollment.
3. Running macOS 10.15.4 or later.
4. Enrolled after Jamf was upgraded to 10.18.0

The issue was that an undocumented requirement (possibly a bug) is that the pre-stage enrollment must have the following option checked:

Prevent user from enabling Activation Lock

Once changed, we were able to fix existing devices by issuing the Remove MDM Profile command, then on the device enrolling again with the following command:

sudo profiles renew -type enrollment

Once the device re-enrolled the results showed as expected that the tokens were supported, and we were able to manually install the bootstrap token with the following command:

sudo profiles install -type bootstraptoken

Hopefully that helps someone else!

14 REPLIES 14

djdavetrouble
Contributor III

THANKS KYLE, have been chasing my tail for the past 24 hours and was lucky enough to find your wisdom! +1 Beer at JNUC 2022 or whenever on prem conventions resume....

jwojda
Valued Contributor II

This is great @kyle.erickson ! Thank you.

Is this something we need to do manually for all 10.15.x devices? Will we need to do the the sudo profiles install -type bootstraptoken for new/reprovisioned devices or will it be automagically be done?

jmariani
Contributor

Why isn't the bootstrap token automatically coming down during enrollment if we do have the option checked: Prevent user from enabling Activation Lock?

On an M1 MacBook Air, attempting to enroll to Jamf 10.26 we see the following:

% sudo profiles status -type bootstraptoken
Password:
profiles: Bootstrap Token supported on server: YES
profiles: Bootstrap Token escrowed to server: NO

kyle_erickson
New Contributor III

Sorry for the delayed response as I didn't have notifications enabled (my mistake).
@jwojda You might have to unenroll and re-enroll (not scriptable).

I am seeing on newer versions of Jamf (currently 10.26.1) that at least with macOS 11 even devices that aren't part of Apple's Automated Device Enrollment program are getting a token as well.

@jmariani I believe the token is escrowed automatically (possibly after a recon), but you can do the following to trigger it:

#!/usr/bin/env bash
profiles install -type bootstraptoken

You could use an extension attribute to check if it's present:

#!/usr/bin/env bash
export PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# Checks on if the bootstrap token is supported and escrowed by MDM

# Validating minimum OS version for attribute (10.15.0 or later)
OSVersion=$(sw_vers -productVersion)
OSVersionMajor=$(echo $OSVersion | cut -d '.' -f 1)
OSVersionMinor=$(echo $OSVersion | cut -d '.' -f 2)
if [[ $OSVersionMajor -eq 10 ]] && [[ $OSVersionMinor -lt 15 ]]; then
    echo "<result>Collected for macOS 10.15.0 or later</result>"
    exit 0
fi

StatusBootstrapToken=$(profiles status -type bootstraptoken 2>/dev/null)
if [[ -n $StatusBootstrapToken ]]; then
    Supported=$(echo $StatusBootstrapToken | awk '/supported/{print $NF}')
    Escrowed=$(echo $StatusBootstrapToken | awk '/escrowed/{print $NF}')
    if [[ "$Supported" == "YES" ]] && [[ "$Escrowed" == "YES" ]]; then
        Result="Escrowed"
    elif [[ "$Supported" == "YES" ]]; then
        Result="Supported"
    else
        Result="Not Supported"
    fi
fi

echo "<result>$Result</result>"

mlavine
Contributor

Hey @kyle.erickson, thanks for that extension attribute but after implementing it I noticed a little mistake that needed to be fixed. When the profiles command is run in that script it seems to be interpreted as one line which means that AWK sets both of the "Supported" and "Escrowed" variables to the value of whatever the "Escrowed" variable is supposed to be. This means that it is impossible for "Result" to ever return a value of "Supported" when it is supposed to. I updated your extension attribute script below to use grep instead to fix this issue:

#!/usr/bin/env bash
export PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# Checks on if the bootstrap token is supported and escrowed by MDM

# Validating minimum OS version for attribute (10.15.0 or later)
OSVersion=$(sw_vers -productVersion)
OSVersionMajor=$(echo $OSVersion | cut -d '.' -f 1)
OSVersionMinor=$(echo $OSVersion | cut -d '.' -f 2)
if [[ $OSVersionMajor -eq 10 ]] && [[ $OSVersionMinor -lt 15 ]]; then
    echo "<result>Collected for macOS 10.15.0 or later</result>"
    exit 0
fi


StatusBootstrapToken=$(profiles status -type bootstraptoken 2>/dev/null)

if [[ -n $StatusBootstrapToken ]]; then
    Supported='supported on server: YES'
    Escrowed='escrowed to server: YES'
    if [[ "$StatusBootstrapToken" == *"$Supported"* ]] && [[ "$StatusBootstrapToken" == *"$Escrowed"* ]]; then
        Result="Escrowed"
    elif [[ "$StatusBootstrapToken" == *"$Supported"* ]]; then
        Result="Supported"
    else
        Result="Not Supported"
    fi
fi

echo "<result>$Result</result>"

kyle_erickson
New Contributor III

That's interesting and I'll investigate further. When I was testing manually it wasn't showing as single line (as searching for supported returned only one result, escrowed one result, and searching for server returned 2.

I don't have many devices without a secure token anymore as we're using a LAPS account to add one on all devices where missing, but I appreciate the heads up and change, especially if it helps others as well.

ec057b62b4e544c6a5e2e023d262f9f7

kyle_erickson
New Contributor III

Correction, without a bootstrap token anymore. Sigh.

wakco
New Contributor III

You may want to check what I have done here.

kacey3
New Contributor III

Are there any other suggestions as to why a computer might not escrow its Bootstrap Token at enrollment? We have met all of the conditions listed by the OP, including "Prevent user from enabling Activation Lock" and yet our M1 MacBook Airs are still not showing up in JAMF with a Bootstrap Token in Escrow.

Yes, we can script it to escrow after the fact, but it would be nice if they did it the first time around, instead.

I've noticed if I have 'Make the Admin account MDM enabled' ticked in the prestage enrolment, a bootstrap token isn't escrowed until the Admin account logs-in to the machine.  Then suddenly its escrowed.  Not sure if just 'any' account needs to log-in or only the Admin account.  But after device deployment, as long as no account has logged-in yet, the device appears to have no bootstrap token escrowed.  And it appears to stay like that until someone logs in.  Only just started noticing this on a newly deployed lab of Apple Silicon iMacs (via ADE) that have a status of Bootstrap token escrowed = NO.  Yay fun times.

kacey3
New Contributor III

Hmm. Well this current test machine has not been logged in, but I planned to log in as a user created via the "Create Account" policy rather than the admin account created by enrollment. I guess I can check to see if that triggers the escrow.

I expect not, but it definitely defeats the purpose of minimal touch if we have to log in as the admin just to get the bootstrap token into escrow.

kacey3
New Contributor III

It looks like logging in as a standard user after deployment does not successfully escrow the bootstrap token.

kyle_erickson
New Contributor III

My understanding is that once a device knows it can escrow the token, it will do so after an existing user with a token signs in.  There is an MDM command that is sent to devices that you can see in the history called "Settings - Bootstrap Token Allowed".  On devices where it is missing, there is also a "Set Activation Lock" MDM command you can send where you can configure it to Disable and prevent Activation Lock.

That said, I can't say for sure if there is any other requirements as we currently are using a script to escrow the token automatically on our devices by using the password of an existing admin account with a secure token.

kacey3
New Contributor III

I ended up having to code a "profiles install -type bootstraptoken" command, which did ultimately, successfully escrow the token, but it seems excessive to have to specifically tell a computer that's been enrolled via DEP to escrow it's token. That should, in my opinion, be assumed when dealing with an MDM solution. I wouldn't be using JAMF if I wanted to touch/log-in to every computer just to ensure that it escrows it's token.