Jamf Nation Community

Mcleveland · ‎02-18-2022

Can someone help me out creating a way to automate this manual solution process? (Full story found in Macadmins Slack)

Issue: On many computers I find that after I type

sudo profiles status -type bootstraptoken

it echo's back:

profiles: Bootstrap Token supported on server: YES
profiles: Bootstrap Token escrowed to server: YES

I proceed with typing:

diskutil apfs listCryptoUsers /

Expand

I verify that ALL users are Volume Owners. Good right? NO. Finally I type:

sudo profiles validate -type bootstraptoken

It echos back:

profiles: Bootstrap Token supported on server: NO

Manual solution: I need to go onto each computer and type

sudo profiles validate -type bootstraptoken -user INSERTUSR -pass INSERTPW

and then identify that the echo'd line says "NO":

profiles: Bootstrap Token supported on server: NO

Once identifying is complete and found a 'NO', I type:

sudo profiles remove -type bootstraptoken -user INSERTUSR -pass INSERTPW

What echo's back is

profiles: Bootstrap Token clearing on server...
profiles: Unable to clear Bootstrap Token (500)
profiles: Error returned = 500

I checked the current status:

sudo profiles status -type bootstraptoken

it echo's back:

profiles: Bootstrap Token supported on server: YES
profiles: Bootstrap Token escrowed to server: NO

I proceeded with logging out and logging back in (not a restart) and then typed:

sudo profiles status -type bootstraptoken

It Echos back:

profiles: Bootstrap Token supported on server: YES
profiles: Bootstrap Token escrowed to server: YES

I go a step further because I needed to in the past to TRULY validate the Bootstrap token:

sudo profiles validate -type bootstraptoken -user INSERTUSR -pass INSERTPW

and it echos back:

profiles: Bootstrap Token escrowed on server: YES
profiles: Bootstrap Token validated.

BWonderchild · ‎02-22-2022

Could create an extension attribute for the bootstrap token:

#!/usr/bin/env bash
export PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# Checks on if the bootstrap token is supported and escrowed by MDM

# Validating minimum OS version for attribute (10.15.0 or later)
OSVersion=$(sw_vers -productVersion)
OSVersionMajor=$(echo $OSVersion | cut -d '.' -f 1)
OSVersionMinor=$(echo $OSVersion | cut -d '.' -f 2)
if [[ $OSVersionMajor -eq 10 ]] && [[ $OSVersionMinor -lt 15 ]]; then
    echo "<result>Collected for macOS 10.15.0 or later</result>"
    exit 0
fi


StatusBootstrapToken=$(profiles status -type bootstraptoken 2>/dev/null)

if [[ -n $StatusBootstrapToken ]]; then
    Supported='supported on server: YES'
    Escrowed='escrowed to server: YES'
    if [[ "$StatusBootstrapToken" == *"$Supported"* ]] && [[ "$StatusBootstrapToken" == *"$Escrowed"* ]]; then
        Result="Escrowed"
    elif [[ "$StatusBootstrapToken" == *"$Supported"* ]]; then
        Result="Supported"
    else
        Result="Not Supported"
    fi
fi

echo "<result>$Result</result>"


Then if it's not could just automatically install it again:

#!/usr/bin/env bash
profiles install -type bootstraptoken

Jamf Nation Community

"Software Update is trying to authenticate user." [Automation / Script Assistance needed]