Sonoma 14.2+ Secure Token / Volume Ownership / Boostrap Token issue?

Contributor II

I have a Smart Group monitoring computers where the bootstrap token isn't escrowed. In the past week, I noticed a couple freshly wiped + re-enrolled computers (all on Sonoma 14.2 and 14.2.1), where the first user logging into the computer isn't getting the Secure Token or Volume Ownership. Also, the bootstrap token doesn't get escrowed.

Background: in our 1:1 deployments, we have a PreStage-created, hidden local admin account. In this 1:1 PreStage, we have enrollment customization turned on, pointing to our SSO IdP. User gets a device, logs in through SSO, which populates their info into the local user creation screen. They enter their password again, and get logged into the device.

Enrollment finishes, and for some reason Jamf is showing the PreStage admin account as the only Secure Token holder and Volume Owner. And as mentioned, bootstrap Token doesn't get escrowed. I can fix manually using sudo profiles install -type bootstraptoken, but trying to figure out why this is happening? Administrator has never been signed into. And the account that is the first one logging in, isn't getting secure token / volume ownership.

Strangely, it's not quite 100% of the time. I wiped a 14.2.1 tester M1 and re-enrolled, it went as expected. I got volume ownership, secure token, and bootstrap was escrowed. Same exact PreStage, same policies, profiles, etc.

PreStage hasn't been touched lately. Yet this problem seems to have just started happening in the last week or so I believe. I put a ticket in and posted about this on the MacAdmins slack, just figured I'd post here as well.


Valued Contributor II

Let us know what you find. Saw some strangeness with M3 Mac on 14.2.1 and 14.2. Couldn't downgrade, so couldn't test different OS.

Had trouble with SecureToken, even with Bootstrap Token escrowed. Could be something I'm missing, but it all worked prior to 14.2+.