During the week of November 23rd 2020, we uncovered issues with Bootstrap tokens being properly escrowed to Addigy. We identified two separate issues that effected different sets of devices. 

1. An issue that impacted macOS 10.15 Catalina devices that was remediated with AM-7481. 

2. We also reviewed and ensured all possible configurations were properly set for Big Sur devices with AM-7011. 

Both of these cards were shipped mid-day on November 30th 2020. All devices enrolled following AM-7481 and AM-7011 shipping will see the Addigy MDM server return a positive responses to escrow status. To test device connectivity in relation to Bootstrap, run the following command on a client device:

profiles status -type bootstraptoken


This command should return the following text when the Bootstrap token has been properly escrowed:

profiles: Bootstrap Token supported on server: YES

profiles: Bootstrap Token escrowed to server: YES

Remediation for Server not Supporting Bootstrap Token

If the above command does not return a YES response from Addigy supporting Bootstrap token, the MDM profile will need to be redeployed via Addigy. To do this, simply login to Addigy and navigate to the Devices page. Once at the Devices page, find the proper device and click on the +MDM button to reinstall the MDM Profile. This will correct any prior issues with the server returning a not supported response. 

Please note, that some versions of macOS may require a reboot to flip from NO to YES after the MDM Profile has been redeployed. In testing, this was mainly seen with Catalina based devices.

Next, we will need to escrow the Bootstrap token.

Escrowing Bootstrap Token to Addigy

As long as the device has a YES response to the Bootstrap token being supported by Addigy, the token will be escrowed on login to the device. If the device is in the state, simply have the end user logout and back into the device to escrow the Bootstrap token back to Addigy.

After the user has logged back into their device, Addigy will receive the Bootstrap token from the device  and the NO will flip to a YES. This can be confirmed by running the profile status command above.

Additional Commands


Check Bootstrap status

Command:

profiles status -type bootstraptoken


Response:

profiles: Bootstrap Token supported on server: YES

profiles: Bootstrap Token escrowed to server: YES


Check Bootstrap external key and all crypto users

Command:

diskutil apfs listcryptousers /


Response:

Cryptographic users for disk3s1s1 (2 found)

|

+-- 99A0F634-B397-45B0-B8FB-0DF3F9EDA6BA

|   Type: Local Open Directory User

|   Volume Owner: Yes

|

+-- 2457711A-523C-4604-B75A-F48A571D5036

    Type: MDM Bootstrap Token External Key

    Volume Owner: Yes


Manually creating a new Bootstrap token (requires interaction)

Command:

profiles install -type bootstraptoken


Response:

Enter the admin user name:admin

Enter the password for user 'admin':

profiles: Create Bootstrap Token created

profiles: Bootstrap Token created

profiles: Bootstrap Token escrowing to server...

profiles: Bootstrap Token escrowed


Validate Bootstrap token that is stored in Addigy (requires interaction)

Command:

profiles validate -type bootstraptoken


Response:

Enter the admin user name:admin

Enter the password for user 'admin':

profiles: Bootstrap Token escrowed on server: YES

profiles: Bootstrap Token validated.


Remove Bootstrap token from device and Addigy (will require the install command above to fix if removed)

Command:

profiles remove -type bootstraptoken


Response:

Enter the admin user name:admin

Enter the password for user 'admin':

profiles: Bootstrap Token deleted

profiles: Bootstrap Token clearing on server...

profiles: Bootstrap Token cleared


Check Secure token for a specific user

Command:

sysadminctl -secureTokenStatus admin


Response:

2020-11-30 16:10:40.850 sysadminctl[13333:1114076] Secure token is ENABLED for user admin

Changes to Bootstrap Token by macOS version

11.0

  • Added a recommended key to the MDM profile regarding Bootstrap token
  • Added ability to grant local users Secure token
  • Added as a requirement for Software Updates (investigating)
  • Added as a requirement for KEXT (investigating)

10.15.4

  • Standard users created during Automated Device Enrollment now receive Bootstrap token
  • Supervised devices without Bootstrap token will enable Bootstrap during first login by a user with Secure token

10.15

  • Initial release of Bootstrap token

External Resources

Apple's Documentation on Bootstrap Token

Apple's Documentation on End User Device Setup

Apple's Documentation on Organization Device Setup

Apple's Documentation on Command Line Tools


If you have an Addigy account and have additional questions, you can create a ticket by emailing support@addigy.com.

Alternatively, you can submit a support request within Addigy.