- Jamf Nation Community
- Products
- Jamf Pro
- Some M1/M2 users are not becoming Volume Owners
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Some M1/M2 users are not becoming Volume Owners
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-07-2023 10:54 AM
As I have been deploying an update script (erase-install) for users to upgrade to Ventura, I have begun to notice that some users are not Volume Owners and therefore unable to perform the upgrade themselves.
Some background:
- This does not occur on all machines, approximately 5% of them.
- All of the machines in question were initially set up with a local admin user, then added to Jamf via the user-initiated enrollment process.
- The machines are all AD binded
- The non-volume owner users in question are mobile accounts that are created after all of the above takes place.
One interesting thing I noticed all of the affected machines have in common is that they all list the non-volume owners as not having FileVault 2 enabled. However, the local admin account as well as every other account on every Jamf enrolled machine in our inventory, lists FileVault 2 as being enabled - even though FileVault is not turned on an any of those machines. I'm not sure if FileVault Enabled: Yes (Admin Center) = FileVault On (Mac), but none of them are actually On. The No indicator for FileVault is one thing all of the affected users have in common.
I'm not sure why the users are not being created as Volume Owners, and I was unable to find any information as to how to possibly make these users Volume Owners, which I need to do. We are scheduled to begin using Jamf Connect in the next couple of months which I'm hoping will streamline our process, but I'm hoping to both resolve this issue and prevent it from happening in the interim.
I did find posts from folks experiencing a similar issue, but nothing in terms of a solution:
https://community.jamf.com/t5/jamf-pro/unable-to-update-m1s-to-ventura/m-p/279596
Thanks in advance for any insight or help.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-07-2023 01:34 PM
Is the Bootstrap Token escrowed on these devices?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-07-2023 03:48 PM
On the latest machine I found with the issue, I did run:
sudo profiles install -type bootstraptoken
but that didn't resolve the issue of the already created mobile user account not being a Volume Owner.
However, in hindsight, I suppose I should have first checked the status by running:
sudo profiles status -type bootstraptoken
I can look at one of the other machines this week to see the status. But why would the the token not be escrowed through Jamf on these machines?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-08-2023 12:20 PM
Generally, the Bootstrap token gets automatically uploaded during login from a user that has a Secure Auth Token. Mobile Accounts generally don't have one by default, so there's a chance that's what caused your issue.
The good news is that once the token has been uploaded, it'll provide Secure Auth and Volume Ownership during the login step on the machines going forward.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-08-2023 03:46 PM
I was able to test on another machine, and yes, you're absolutely right about the tokens being escrowed to all users after running the install command.
I first checked the status of the token:
sudo profiles status -type bootstraptoken
Results:
profiles: Bootstrap Token supported on server: YES
profiles: Bootstrap Token escrowed to server: NO
Next I ran the install command:
sudo profiles install -type bootstraptoken
Checked again using the status command, and got these results:
profiles: Bootstrap Token supported on server: YES
profiles: Bootstrap Token escrowed to server: YES
Once the user logged in again, I could see within Jamf Admin that the user was now a Volume Owner User.
This also changed their Filevault 2 Enabled status to Yes, which I still don't quite understand because that is not turned On. But that is a question for another day and another thread.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-16-2023 12:51 AM
we have also been sturggling with this in our enviorment I confused by this
"I could see within Jamf Admin that the user was now a Volume Owner User" is this record somewhere as I can find it within a computer record
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-16-2023 10:22 AM
Hi @tdenton,
I found a wonderful Extension Attribute script written by bp88 that allows me to see Volume Owners on an Apple Silicon machine.
You can find it here: https://github.com/bp88/Jamf-Pro-Extension-Attributes/blob/master/Volume%20Owner%20Users.sh
Reply
