After a macOS 10.15 device is enrolled, an MDM setting will be automatically sent to the device to make Bootstrap Token available for escrow in UEM.

To verify the availability and to generate a Bootstrap Token, perform the following steps:

  1. On the Mac, navigate to Applications > Utilities > Terminal.
  2. To know if Bootstrap Token is supported, run the following command:

    sudo profiles status -type bootstraptoken

    This command will return output similar to the following:
    Bootstrap Token supported on server:YES
    Bootstrap Token escrowed to server:YES(Or NO)

    The first line indicates that UEM supports Bootstrap Token and the second line indicates if it has already been escrowed or not. If the Bootstrap Token has not yet been escrowed, proceed to Step 3.

    Note: The automatic escrow of Bootstrap Token only happens on macOS 10.15.4 or later. For versions between 10.15.0 and 10.15.3, it must be manually done.
  3. To generate and escrow a Bootstrap Token, run the following command:

    sudo profiles install -type bootstraptoken

    This command is interactive and requires the admin username and password to be entered.
    Enter the admin username:adminuser
    Enter the password for user 'adminuser':
    profiles: Create Bootstrap Token created
    profiles: Bootstrap Token created
    profiles: Bootstrap Token escrowing to server...
    profiles: Bootstrap Token escrowed
    
    After the Bootstrap Token is escrowed, you can run the command from Step 2 again to verify:
    sudo profiles status –type bootstraptoken
    
    Bootstrap Token supported on server: YES
    Bootstrap Token escrowed to server: YES
    
  4. For further verification, run the following command to list which accounts can unlock the FileVault encrypted disk:

    diskutil apfs listcryptousers /

    This command must return the UUID of the newly enabled mobile account and the Bootstrap Token External Key.

    You can compare this list with sudo fdesetup list to verify the UUIDs of SecureToken enabled accounts:
    Cryptographic users for disk1s5 (3 found)
    |
    +-- 16C00654-9A3E-4129-BF21-A66261BBA58C
    |   Type: Local Open Directory User
    |
    +-- 2457711A-523C-4604-B75A-F48A571D5036
    |   Type: MDM Bootstrap Token External Key
    |
    +-- C3701A60-377E-4A55-94B8-3147975C357A
        Type: Local Open Directory User 
    
sudo fdesetup list

adminuser,16C00654-9A3E-4129-BF21-A66261BBA58C
mobileuser,C3701A60-377E-4A55-94B8-3147975C357A

Manually Delete a Bootstrap Token

If you want to remove the Bootstrap Token for a device, run the following command:
sudo profiles remove -type bootstraptoken

Enter the admin username:adminuser
Enter the password for user 'adminuser':
profiles: Bootstrap Token deleted
profiles: Bootstrap Token clearing on server...
profiles: Bootstrap Token cleared 

Bootstrap Token is deleted from the device and the UEM server.

View the Event Logs

To view the event logs in Workspace ONE UEM console, navigate to Devices > Details View > Troubleshooting.

Filter by Module = Devices to see Event Logs related to Bootstrap Token:
  • GetBootstrapTokenRequestProcessed
  • GetBootstrapTokenRequested
  • BootstrapTokenEscrowed
  • SetBootstrapTokenRequested
  • BootstrapTokenRemoved
  • RemoveBootstrapTokenRequested