During the week of November 23rd 2020, we uncovered issues with Bootstrap tokens being properly escrowed to Addigy. We identified two separate issues that effected different sets of devices.
1. An issue that impacted macOS 10.15 Catalina devices that was remediated with AM-7481.
2. We also reviewed and ensured all possible configurations were properly set for Big Sur devices with AM-7011.
Both of these cards were shipped mid-day on November 30th 2020. All devices enrolled following AM-7481 and AM-7011 shipping will see the Addigy MDM server return a positive responses to escrow status. To test device connectivity in relation to Bootstrap, run the following command on a client device:
profiles status -type bootstraptoken |
This command should return the following text when the Bootstrap token has been properly escrowed:
profiles: Bootstrap Token supported on server: YES profiles: Bootstrap Token escrowed to server: YES |
Remediation for Server not Supporting Bootstrap Token
If the above command does not return a YES response from Addigy supporting Bootstrap token, the MDM profile will need to be redeployed via Addigy. To do this, simply login to Addigy and navigate to the Devices page. Once at the Devices page, find the proper device and click on the +MDM button to reinstall the MDM Profile. This will correct any prior issues with the server returning a not supported response.
Please note, that some versions of macOS may require a reboot to flip from NO to YES after the MDM Profile has been redeployed. In testing, this was mainly seen with Catalina based devices.
Next, we will need to escrow the Bootstrap token.
Escrowing Bootstrap Token to Addigy
As long as the device has a YES response to the Bootstrap token being supported by Addigy, the token will be escrowed on login to the device. If the device is in the state, simply have the end user logout and back into the device to escrow the Bootstrap token back to Addigy.
After the user has logged back into their device, Addigy will receive the Bootstrap token from the device and the NO will flip to a YES. This can be confirmed by running the profile status command above.
Additional Commands
Check Bootstrap status
Command: profiles status -type bootstraptoken Response: profiles: Bootstrap Token supported on server: YES profiles: Bootstrap Token escrowed to server: YES |
Check Bootstrap external key and all crypto users
Command: diskutil apfs listcryptousers / Response: Cryptographic users for disk3s1s1 (2 found) | +-- 99A0F634-B397-45B0-B8FB-0DF3F9EDA6BA | Type: Local Open Directory User | Volume Owner: Yes | +-- 2457711A-523C-4604-B75A-F48A571D5036 Type: MDM Bootstrap Token External Key Volume Owner: Yes |
Manually creating a new Bootstrap token (requires interaction)
Command: profiles install -type bootstraptoken Response: Enter the admin user name:admin Enter the password for user 'admin': profiles: Create Bootstrap Token created profiles: Bootstrap Token created profiles: Bootstrap Token escrowing to server... profiles: Bootstrap Token escrowed |
Validate Bootstrap token that is stored in Addigy (requires interaction)
Command: profiles validate -type bootstraptoken Response: Enter the admin user name:admin Enter the password for user 'admin': profiles: Bootstrap Token escrowed on server: YES profiles: Bootstrap Token validated. |
Remove Bootstrap token from device and Addigy (will require the install command above to fix if removed)
Command: profiles remove -type bootstraptoken Response: Enter the admin user name:admin Enter the password for user 'admin': profiles: Bootstrap Token deleted profiles: Bootstrap Token clearing on server... profiles: Bootstrap Token cleared |
Check Secure token for a specific user
Command: sysadminctl -secureTokenStatus admin Response: 2020-11-30 16:10:40.850 sysadminctl[13333:1114076] Secure token is ENABLED for user admin |
Changes to Bootstrap Token by macOS version
11.0
- Added a recommended key to the MDM profile regarding Bootstrap token
- Added ability to grant local users Secure token
- Added as a requirement for Software Updates (investigating)
- Added as a requirement for KEXT (investigating)
10.15.4
- Standard users created during Automated Device Enrollment now receive Bootstrap token
- Supervised devices without Bootstrap token will enable Bootstrap during first login by a user with Secure token
10.15
- Initial release of Bootstrap token
External Resources
Apple's Documentation on Bootstrap Token
Apple's Documentation on End User Device Setup