macOS 10.15 Catalina introduces the Bootstrap Token feature to help with granting a SecureToken to mobile account users and the optional administrator account created during device enrollment through Apple Business Manager. This feature does not affect how local accounts are granted SecureTokens.

About SecureToken

The introduction of Apple File System (APFS) in macOS 10.13 changed how FileVault encryption keys are generated and stored. These keys are generated either during the initial local user account creation or during the first login by a user. The SecureToken, which contains the generated keys, is a wrapped Key Encryption Key (KEK) protected by the user’s password. Any macOS account that must use FileVault authentication is required to have a SecureToken enabled. Directory (network) users are not eligible for SecureToken enablement.

Before macOS Catalina, enabling a mobile account user for SecureToken required specific workflows, some of which required entering existing SecureToken enabled administrator credentials to enable the new user account for SecureToken. Bootstrap Token eliminates this process for MDM enrolled devices.

For User Approved MDM (UAMDM) enrolled devices on macOS 10.15.4 or later, a Bootstrap Token is automatically generated and escrowed to Workspace ONE UEM on the first login by any user who is SecureToken enabled. If needed, a Bootstrap Token can also still be generated and escrowed manually using the /usr/bin/profiles command-line tool.

Note:

A Bootstrap Token cannot be generated and escrowed automatically if a local user account creation is skipped during Setup Assistant.

After the Bootstrap Token is escrowed in Workspace ONE UEM, future user accounts can use it during login to be automatically enabled with a SecureToken. When a mobile account or device enrollment created administrator logs in, macOS automatically requests the Bootstrap Token from the UEM server and uses it with the user credentials to enable a unique SecureToken for that user on that volume.

The Bootstrap Token is a unique key used for only this purpose by MDM and cannot be used instead of a Personal Recovery Key (PRK).

For existing deployed systems, administrators can use the /usr/bin/profiles command-line tool with user credentials for an existing SecureToken enabled administrator account to manually generate a Bootstrap Token for future logins by mobile accounts.

Using console API's, administrators can now check for BootstrapTokenEscrowStatus for macOS devices. For macOS Big Sur devices, additional details about Bootstrap Token will also be returned.

The following device security info API responses are updated to contain bootstrap token information:

Action - GET

Version - 1

URL - https://<host>/mdm/devices/security?searchby=<searchby>&id=<id>

URL - https://<host>/mdm/devices/<device id>/security

Prerequisite:

  • Device OS must be macOS Catalina 10.15.0 and later.
  • For macOS 10.15.4 and later, the device only needs to be User Approved MDM Enrolled.
  • For macOS between 10.15.0 and 10.15.3, the device must be enrolled through Apple Business Manager to use Bootstrap Token.
  • For macOS Catalina, Bootstrap Token primarily aids with enabling SecureToken for users with Mobile Accounts. This requires the Mac to be bound to a supported directory service like Active Directory. Network Users are not supported.
  • For macOS Big Sur and above, Bootstrap Token also supports SecureToken enablement for Local Account users.