What's New in Jamf School: 9.2.21 Release includes Support for Bootstrap Token Functionality

New Contributor II
New Contributor II

Hi Jamf Nation,

We’ve just released Jamf School 9.2.21 with exciting updates, bug fixes and enhancements including Support for Bootstrap Token Functionality.
Jamf School can now automatically escrow bootstrap tokens sent by computers with macOS 11 or later during enrollment and computers with macOS 10.15 or later after enrollment. Bootstrap token eliminates the need to request additional authentication information when a network user logs in to a computer with a mobile account and the account does not have a SecureToken associated with it. After the bootstrap token is escrowed, it is requested from Jamf School each time an eligible mobile account logs in to a computer. The computer then automatically generates a SecureToken for the mobile account. After the user is issued a SecureToken, their account can be used for macOS services that require cryptographic privileges, such as FileVault authentication.
In addition, if an Automated Device Enrollment profile is configured to create an additional local administrator account during enrollment in the macOS Settings in the Automated Device Enrollment profile, that account is also eligible to receive the Bootstrap Token when it logs in to a computer.
For more information about Bootstrap Token Functionality, see Using Secure and Bootstrap tokens in deployments from Apple’s support website.
Check out the full release notes for Jamf School here

Many thanks



New Contributor III

Hi Aaron - I'm hoping you can help me out with a bootstrap token issue that has come up at our district.  We have enrolled our macs using automated device enrollment - prompting to create a standard user account, creating a macOS managed admin account, and I also have a script running to create a third account for a "sub" that is a standard account.  What I am noticing is that we are having instances where the sub account is getting the bootstrap token and not the standard user that is created during ADE.  There doesn't seem to be any rhyme or reason on whether it works properly or not.  How can I prevent it from happening in the first place and how can I fix it once it has happened?