User Manual Q&A

Jamf bootstrap. 18? Not having much luck here with macOS 10.

Jamf bootstrap New Contributor II In response to Bol. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf Sorry for the delayed response as I didn't have notifications enabled (my mistake). Incidentally I am not the only person who has encountered this, as you can see from Depending if the bootstrap token is escrowed to Jamf, deploy a new account via MDM, then login on the device as that user. Re-enrolling without deleting the computer record in Jamf will result in the same bootstrap token Not Supported problem. With this method, the settings install when the policy is configured to run. I have a Smart Group monitoring computers where the bootstrap token isn't escrowed. I expect not, but it definitely defeats the purpose of m I ended up having to code a "profiles install -type bootstraptoken" command, which did ultimately, successfully escrow the token, but it seems excessive to have to specifically tell a computer that's been enrolled via DEP to escrow it's token. Subscribe to RSS Feed; Mark Topic as New; Mark Topic as Read; Float this Topic for Current User; Bookmark; Subscribe; Mute; Jamf history indicates a 'ScheduleOSUpdate' command was received & it eventually clears itself from the pending list, the update itself just dies on the vine. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf It sounds like maybe your computers aren't escrowing the bootstrap token from Jamf? I think my workflow is a little janky but it does work on Sonoma and Ventura. Sigh. 1 We have 11. Subscribe to RSS Feed; Mark Topic as New; Mark Topic as Read; Float this Topic for Current User; Bookmark; Subscribe; Jamf does not review User Content submitted by members or other third parties before it is posted. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf Jamf does not review User Content submitted by members or other third parties before it is posted. Good luck! 1 Kudo Reply. 23. FileVault provisioning is by user, not by system. during a presentation), while also ensuring they stay up to date If a bootstrap token is properly escrowed for devices requesting an upgrade, the command . Ensure that the computer has a stable connection to the internet and can communicate with the Jamf Pro server without any issues. 1 or later). First off even without a Secure and BootstrapToken a Mac can be in JAMF. Yes, we can script it to escrow after the I have spent the best part off 3 months backwards and forwards with jamf support. This repository includes 3 Extension attributes that populate the status of your SecureToken holders & escrowed bootstrap tokens. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf I'm happy to see bootstrap token support in Jamf 10. Bootstrap token is escrowed. We're using JAMF School as our MDM to control circa 230 M1 MacBook Air that have from MacOS 11. I have found that the local admin account that gets created during the enrollment process receives the bootstrap token. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf a Bootstrap Token is escrowed to Jamf Pro. Has anyone been successful in getting bootstrap tokens to work via user-initiated - 232998 Thanks for this! I will test the script ASAP. If your re-enrollment settings are set to clear commands and policy history, everything should re-run when the device re-enrolls, as if it were a new computer. Mark as New; Bookmark; Subscribe; Mute; By the time JAMF School wasn't able to keep the bootstrap token on the server side (it was assigned to a local admin deployed with the MDM configuration) and Big Sur didn't have a stable way to update remotely (this was on Monterey roadmap, and they did solve this part) so we've waited to the Monterey debut and JAMF School updates. JAMF Pro Has anyone done this before? I found a few commands to pass the admin account and admin password through a script, but didn't have any luck. This was already the case since macOS Catalina 10. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf Is there a way to run the following commands without disabling System Integrity Protection? cd /var/db/ConfigurationProfiles sudo rm -rf * sudo mkdir Settings sudo touch Settings/. 2 and Jamf Pro 10. On devices where it is missing, there is al Are there any other suggestions as to why a computer might not escrow its Bootstrap Token at enrollment? We have met all of the conditions listed by the OP, including "Prevent user from enabling Activation Lock" and yet our M1 MacBook Airs are still not showing up in JAMF with a Bootstrap Token in E THANKS KYLE, have been chasing my tail for the past 24 hours and was lucky enough to find your wisdom! +1 Beer at JNUC 2022 or whenever on - 232998 The admin account created by JAMF on first boot during DEP enrollment in MDM is not created with securetoken. macOS will request the token to authorize software updates Upgrading to macOS Monterey 3 TEP. Browse Jamf Nation Community Free University of Berlin # # This Scripts does a background Terminallogin to get a secureToken and escrowing bootstrap # Intended Usage for ZeroTouch Enrollments Hi, that depends on the full state of the computer. I don't have many devices without a secure token anymore as we're using a LAPS By the time JAMF School wasn't able to keep the bootstrap token on the server side (it was assigned to a local admin deployed with the MDM configuration) and Big Sur didn't have a stable way to update remotely (this was on Monterey roadmap, and they did solve this part) so we've waited to the Monterey debut and JAMF School updates. I now have got a bit further and Maya is now launching (thank you). Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf I have a Smart Group monitoring computers where the bootstrap token isn't escrowed. Intel Macs can use a bootstrap token or a secure token to authorize the install of OS updates; Jamf recommends using remote commands instead. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf You need to have the bootstrap tokens escrowed in your JAMF server as well as having Management over the devices and DEP. 1 Kudo Jamf does not review User Content submitted by members or other third parties before it is posted. plist file in a script instead of creating the . Is this something we need to do manually for all 10. A lot of devices are in student labs, or shared between co-workers. Go to solution. Wonder if you found the solution. My workflow is: 1. Apple also requires user interaction to be granted a FileVault token which makes automation very difficult. Yes, we can script it to escrow after the I'm posting this in case others encountered this issue with bootstrap tokens on macOS 10. Yes, we can script it to escrow after the fact, but it would be nice if they We have JAMF School instead of JAMF Pro, but Pro is way better with a lot more features. Check the network connection between the computer and the Jamf Pro server. It is not getting a secureToken. Over why bootstrap tokens don't always get escrowed back to jamf pro during our enrollment process. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf Anyone tested Bootstrap token with Mobile accounts and Jamf Pro 10. Information and posts may be out of date when you view them. Devices need to be enrolled with PreStage for mass action (MDM OS Update) commands to work. ) However, despite repeated attempts, I cannot reliably get the bootstrap token to escrow automatically at first interactive login, as I'm led to Filevault was disabled at our organization due to issues with secure tokens. The device was locked until So far, the only fix I've found is to remove the MDM profile for that Mac, delete the computer record from Jamf and then re-enroll it. I also wanted to add to this thread, did you know that you can create a . This session will dig into what each is, why We have met all of the conditions listed by the OP, including "Prevent user from enabling Activation Lock" and yet our M1 MacBook Airs are still not showing up in JAMF with a Simply put, to unlock FileVault on a macOS device, a user needs two things: a password and a SecureToken. e. Differed OS updates will still be deferred with MDM update commands. the majority of our fleet of 500+ Macs are Intel based and have never had issues with the secure token being escrowed. Important for the rest of the discussion. Hello, I have the same issue and do have the same setting setup. 0. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf Will it require using the OrgAdmin account to grant a token and/or send the bootstrap token to Jamf Pro? TTG says: 14-01-2021 at 21:54. Introduced in macOS 10. All content on Jamf Nation Jamf does not review User Content submitted by members or other third parties before it is posted. I have other scripts that load launch daemons that use bootstrap/bootout. For instructions, see Updating macOS by Sending a Mass Action Command. Create new users when they first log in with Platform SSO (macOS 13 or later). Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf Jamf is a software company best known for developing Jamf Pro (formerly The Casper Suite). Jamf has said “you can use the management account!” but many of us with Jamf Pro infrastructures that span several years (with thousands of computers) have management accounts that were used for Jamf Remote, never actual login. thx - 277278 Jamf Nation Community; Products; Jamf Pro; Re: Bootstrap token extension attribute; Options. Generally, the Bootstrap token gets automatically uploaded during login from a user that has a Secure Auth Token. Is this wrong to begin with? I created a new admin user via Jamf policy, and then used it to log on to the machine (physically, note remote so to speak). Post Reply Jamf's purpose is to simplify work by helping organizations manage and secure an Apple experience that end users love and organizations trust. An Extension Attribute (EA) is leveraged that looks for the existence of the file created above on scoped devices. Prestage creates an admin account. Again, test stations (both Silicon & Intel @ 11. My understanding is that we need to use Launchctl bootstrap instead of Launchctl load as we did with older versions of macOS. Authorize the installation of software updates. Mobile Accounts generally don't have one by default, so there's a chance that's what We don't use pre-stage enrollment for classroom computers. Even though the MDM can hand out SecureTokens to newly created user accounts thanks to the wonders of the bootstrap token, macOS is going back to its pre JAMF must have a bootstrap token escrowed to be able to update Apple Silicon devices. Particularly, we were running Jamf Pro 10. 6. Hopefully someone finds this useful :) #!/bin/bash tok I have a Smart Group monitoring computers where the bootstrap token isn't escrowed. This version of - 292944. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf My script is long and does several things to validate if a bootstrap token is required, if our administrator account is there, has a secure - 232998 including "Prevent user from enabling Activation Lock" and yet our M1 MacBook Airs are still not showing up in JAMF with a Bootstrap Token in Escrow. Are you having issues with Macs that you So, with this post I want to provide a few things which might make your life easier by correctly reporting the Secure / Bootstrap Token situations in your environment into Jamf Pro: Report if Bootstrap is escrowed in MDM; List macOS Catalina 10. Jamf does not review User Content submitted by members or other third parties before it is posted. Anyone who logs in after that receives a secure token. 5. . 19, but I only want to run profiles install -type bootstraptoken for users that don't have a token escrowed. I do not have a script because, as said previously, - 232998 including "Prevent user from enabling Activation Lock" and yet our M1 MacBook Airs are still not showing up in JAMF with a Bootstrap Token in Escrow. Did you resolved the issue in the meantime ? - 277278 But before there has no issue with bootstrap token escrowed to Jamf. Jamf does not review User Content submitted Greetings Jamf Nation! Many organizations are likely running software updates on their fleets this week, as well as with new Jamf Pro versions. Set the installation I have spent the best part off 3 months backwards and forwards with jamf support. 18. This version of the script even assumes that the Mac is in JAMF to delete and recreate a defective Adminuseraccount trough Policies. I guess I can check to see if that triggers the escrow. However, I need to be able to install and license both Maya 2022 and Mudbox 2022 on our Macs, which of course both have different product keys (657N1 and 498N1) and the below line will only cater for one or the other. There is an MDM command that is sent to devices that you can see in the history called "Settings - Bootstrap Token Allowed". That should, in my opinion, be assumed when dealing with This is great @kyle. 32. The for some reason (I've worked with Support on this), the Mac's are then becoming unmanaged ticking "Allow Jamf Pro to perform management tasks" as per Support brings the Mac back into managed. 15 introduces a new feature called the Bootstrap Token. Hmm. So I'm pretty new to this whole JAMF thing from a management point. I used the same framework as my FileVault We are experiencing the same behavior. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf We have a number of machines that don't have the bootstrap token escrowed. This guide will show Jamf does not review User Content submitted by members or other third parties before it is posted. 18 or above). Ok, have to admit I’m confused. I couldn't find an existing EA here to help scope my policy, so I put one Jamf does not review User Content submitted by members or other third parties before it is posted. @jwojda You might have to unenroll and re-enroll - 232998 Jamf does not review User Content submitted by members or other third parties before it is posted. Not sure if just 'any' account needs to log-in or only the Admin account. 26 we see the following: % sudo profiles status -type bootstraptoken Password: profiles: Boots # Exit successfully if Bootstrap token is already escrowed. Subscribe to RSS Feed; Mark Topic as New; Mark Topic as Read; Float this Topic for Current User; Bookmark; A bootstrap token can also be generated and escrowed to MDM using the profiles command-line tool, if needed. Jamf Pro Policy – Allows customized user experience and messaging. This type of setup was demonstrated in a session at JNUC this year (although their example used Jamf Pro and Jamf Connect, not Jamf Pro and Xcreds the principles should be the same though. 2 and 14. ADMIN MOD escrow bootstrap token remotely . Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf To move the bootstrap token to the server side you need to do sudo profiles install -type bootstraptoken - 232998. profilesAreInstalled We don't to have users to go into recovery mode and disable SIP to resolve this issue. 15 Catalina. The first policy that runs at enrollment Creates another Admin account and delete's the admin account created by the prestage. All content on Jamf Jamf does not review User Content submitted by members or other third parties before it is posted. Why isn't the bootstrap token automatically coming down during enrollment if we do have the option checked: Prevent user from enabling Activation Lock? On an M1 MacBook Air, attempting to enroll to Jamf 10. 4 and Bootstrap tokens are generally escrowed when the device is enrolled in JAMF, preferably by Automated Device Enrollment. Browse Jamf Nation Community. 15. Jamf says the bootstrap token is escrowed. 1 ACCEPTED SOLUTION Go to solution gets the SecureToken and therefore can't be deleted from the system when no other account has a SecureToken and/or the bootstrap hasn't been Hello World! This issue is kind of weird since it should work, but it doesn't work. I couldn't find an existing EA here to help scope my policy, so I put one together. I see that happenning recently and without that we cannot even update/upgrade macOS from Jamf. x devices? Will we need to do the the sudo profiles install -type bootstraptoken for new/reprovisioned devices or will it be automagically be done? I've noticed if I have 'Make the Admin account MDM enabled' ticked in the prestage enrolment, a bootstrap token isn't escrowed until the Admin account logs-in to the machine. Silently authorize an Erase All Content and Settings MDM command (macOS 12. Hi Sam! How is the OrgAdmin created exactly? You correctly mention that the Jamf Did you re-enrol that test machine after you upgraded your jamf server? I noticed the same issue, I erased my test machine and re-enrolled - 204927 It looks like logging in as a standard user after deployment does not successfully escrow the bootstrap token. - 232998. You should now have another token holder to complete your workflow. Then suddenly its escrowed. If you have multiple Jamf Pro servers, try clearing the bootstrap token on another server. Jamf Connect's ZTNA, using the Wireguard VPN protocol for packet routing, can be deployed to iOS, iPadOS, Android, macOS and Windows devices with the Jamf Trust app. Scripts were much more reliable (which is not saying much with how poor they were) but that is all out the Assumptions: Macs are supervised and enrolled in Jamf. I have the same settings, We are using JAMF Pro an M1 - Error: "Erase All Content and Settings preflight failed: Unable to get Bootstrap Token" Jamf does not review User Content submitted by members or other third parties before it is posted. erickson ! Thank you. Communicating to end users 4 TEP A final note, and one to be very conscious of throughout this process, is communicating openly, transparently and often to your end users about what is going to happen with their devices and what their Ok, good news. It was my understanding that when bootstrap token is escrowed to jamf, users will get a secureToken upon first login. Jamf is not responsible for, nor As a Jamf Admin, I want to issue a remote command for my macOS devices to update their OS, while also giving them the option to defer the OS update so that their critical workflows aren’t interrupted (ex. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf Jamf Nation Community; Products; Jamf Pro; Re: Bootstrap token extension attribute; Options. plist file and having to create a If the computer has escrowed a bootstrap token with Jamf Pro, the Wipe Computer command will attempt to do an Erase all Content and Settings. I currently have 7 M1 and newer M2's and am having this issue. These are some of the options we've used: Jamf does not review User Content submitted by members or other third parties before it is posted. , M1 chip) to use RestartDevice MDM command. Jamf is the only company in the world that provides a complete management and security solution for an Apple-first environment that is enterprise secure, consumer simple and protects personal privacy. On a side note, JAMF really needs to update that training video. With deed in hand, the owner can hand out ke When a Bootstrap Token is escrowed on the Jamf Pro Server, macOS Catalina can request and receive it when Mobile accounts sign in and generates a SecureToken for that user account. Subscribe to RSS Feed; Mark Topic as New; Mark Topic as Read; Float this Topic for Current User; Bookmark; Any user that logs in to computer from the Login window (not the FileVault window) is granted a Secure Token IF the computer has a bootstrap token escrowed in Jamf (or another MDM) So, if you want to grant your Administrator an ST, you need to come up with a workflow to ask the user from their password and use a script to give the Administrator a token. Jamf Nation Community; Products; Jamf Pro; Re: Bootstrap token extension attribute; Options. Jamf Pro; Re: Bootstrap token extension attribute; Options. Thanks for this, we were having issues FileVault encrypting a small population of our Macs and using your instructions helped us get them encrypted! : ) You may want to check what I have done here. Go Hey Mario - Correct, this is a real pain the neck for us as well. 2. When I was testing manually it wasn't showing as single line (as searching for supported returned only one result, escrowed one result, and searching for server returned 2. I'm trying to provide a self-service option by having someone run - 337533 Correction, without a bootstrap token anymore. So far, the only fix I've found is to remove the MDM profile for that Mac, delete the computer record from Jamf and then re-enroll it. Mobile Accounts generally don't have one by default, so there's a chance that's what caused your issue. The bootstrap token is usually generated on the Mac and escrowed to the MDM solution during the macOS setup process after the MDM solution tells the Mac that it supports the feature. This is why we do. Here is the whole article: Additional admin with SecureToken, or not? - Travelling Tech Guy By the time JAMF School wasn't able to keep the bootstrap token on the server side (it was assigned to a local admin deployed with the MDM configuration) and Big Sur didn't have a stable way to update remotely (this was on Monterey roadmap, and they did solve this part) so we've waited to the Monterey debut and JAMF School updates. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf Generally, the Bootstrap token gets automatically uploaded during login from a user that has a Secure Auth Token. New Catalina Mac out of the box we run standard Apple set and create an IT Admin account, once created we enroll to jamf, profiles hit the Mac and stuff happens. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf Jamf Cloud customers can download and schedule to install an upgrade using Managed Software Updates, powered by the declarative device management update when Bootstrap Token is escrowed with Jamf Pro, which is the recommended update method. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf Using the Bootstrap Token functionality in macOS 10. Jamf is the only company in the world A Jamf policy then creates a second admin account, "Adminbak". This provides you with insight into what macs need remediation which is critical because only managed macs with an escrowed bootstrap token will accept the MDM command. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf 2) Is the Bootstrap Token Escrowed to Jamf Pro? This is the part that stumped me the longest. In recent years, three things have become important for Mac Admins: Bootstrap Tokens, Secure Tokens and Volume Ownership. I have spent the best part off 3 months backwards and forwards with jamf support. 1), where the first user logging into the computer isn't getting the Secure Token or Volume Ownership. Scripts were much more reliable (which is not saying much with how poor they were) but that is all Using the Bootstrap Token functionality in macOS 10. These work well. Our M1's are getting Bootstrap Tokens Escrowed correctly. Subscribe to RSS Feed; Mark Topic as New; Mark Topic as Read; Float this Topic for Current User; Bookmark; Subscribe; Mute; Jamf Nation Community; Products; Jamf Pro; Re: Bootstrap token extension attribute; Options. Hi, that depends on the full state of the computer. If the user was not the first to interactively log in AND they are not an admin Jamf Pro will not be able to automatically escrow the Bootstrap token. They’re the verified owner of the property. dmlasd. My understanding is that once a device knows it can escrow the token, it will do so after an existing user with a token signs in. or macOS can request and use a bootstrap token escrowed with Jamf Pro if an update was scheduled with an MDM command, avoiding the need for user interaction to authorize an update. Jamf Nation Community That's interesting and I'll investigate further. OS is Monterey or later. ) However, despite repeated attempts, I cannot reliably get the bootstrap token to escrow automatically at first interactive login, as I'm led to Packages can be deployed as a Bootstrap package, when signed with a Developer Signing Certificate provided by Apple, or as a Policy. The script then runs a jamf recon command to update the computer inventory record. Because no account has a token, you can't add a token. Error: Bootstrap token must be escrowed to the Jamf Pro server in order for computers with Apple Silicon (i. 3. That is 5 years out of date now. Subscribe to RSS Feed; Mark Topic as New; Mark Topic as Read; Float this Topic for Current User; Bookmark; Subscribe; Important: Bootstrap only gives an account a SecureToken when that account is logging in via the LoginWindow (after Bootstrap was enabled). The way Apple has FileVault setup and configured it does not do well with shared device use cases. Members Online • Bodybraille. info. FileVault is enabled. 3 all through 11. A computer can then request a bootstrap token to grant secure tokens to users logging in to the computer. I'm seeing an unusual issue (I think). 1 available for update on some devices and want to force update on every MacBook but, when you are on the device and choose "Install and Jamf does not review User Content submitted by members or other third parties before it is posted. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf I'm seeing an unusual issue (I think). Upload your Octory package to Jamf Pro: Settings > Computer Management > Packages. Mainly because Apple grants the Secure Token right to the first user whole actually login to the device. Command option example:--auth-jamf-account='superapi'--auth-jamf-password='ThisIs@Test' When deploying super using the command line, if either the account name or password contains any special characters or Jamf does not review User Content submitted by members or other third parties before it is posted. Options. Helped me allot. including "Prevent user from enabling Activation Lock" and yet our M1 MacBook Airs are still not showing up in JAMF with a Bootstrap Token in Escrow. This means, anyone with the secure token and input their credentials and get th I'm posting this in case others encountered this issue with bootstrap tokens on macOS 10. Volume ownership. Both types of account will receive the first SecureToken and Bootstrap will immediately be enabled (if the MDM server supports it – Jamf Pro 10. New Catalina Mac out of the box we run standard Apple set and create an IT Admin account, once created we enroll to You need to have the bootstrap tokens escrowed in your JAMF server as well as having Management over the devices and DEP. Subscribe to RSS Feed; Mark Topic as New; Mark Topic as Read; Float this Topic for Current User; Bookmark; You can create a bootstrap token using the profiles command line tool. Enrolled computers create and escrow a bootstrap token to Jamf Pro. Well this current test machine has not been logged in, but I planned to log in as a user created via the "Create Account" policy rather than the admin account created by enrollment. In the past week, I noticed a couple freshly wiped + re-enrolled computers (all on Sonoma 14. Solved! Go to Solution. 18? Not having much luck here with macOS 10. Think of a password as a key to the house and the first SecureToken as the deed to the property with the user’s name on it. All content on Jamf Nation is for informational purposes only. Yes, we can script it to escrow after the So far, the only fix I've found is to remove the MDM profile for that Mac, delete the computer record from Jamf and then re-enroll it. I'm happy to see bootstrap token support in Jamf 10. 0 Kudos Reply. If you have all that the Management Command should just work, but you really get no logging and users get no notification. ZTNA is enabled and managed through the Jamf Security Cloud portal and can be deployed alongside other Jamf security products and capabilities, such as Jamf Protect . 2. Goals: Have a local admin account for support purposes (not necessarily FileVault-enabled since we have Jamf does not review User Content submitted by members or other third parties before it is posted. Apples dream for M The bootstrap token is usually generated on the Mac and escrowed to the MDM solution during the macOS setup process after the MDM solution tells the Mac that it supports the feature. verify=$(profiles status -type bootstraptoken | awk '/escrowed/ {print $7}') #This will create and escrow the bootstraptoken on the Jamf Pro Server. Yes, a login though the login window. Jamf's purpose is to simplify work by helping organizations manage and secure an Apple experience that end users love and organizations trust. 0 but were still seeing our devices show that tokens were not supported on the server. However, a bootstrap token can also be generated Second, Jamf is also forcing their same 29 character passwords (like Recovery Lock). I tried manually with “sudo profiles install -type bootstraptoken” but I got this error JAMF Support is correct. All local accounts have Secure Tokens, and there are at least two local accounts (end user account and support account). In our case, as part of provisioning our team has to login with our local A Jamf Pro user account name and password with appropriate privileges to request macOS managed software update MDM commands. This catch22 should not be possible, which is Apple's fault, and the account made by JAMF should have a token which I want to say is JAMF's fault, unless Apple is once again not Glad i found this thread, thankyou for the "launchctl bootstrap system" change info. I'm posting this in case others encountered this issue with bootstrap tokens on macOS 10. During PreStage enrollments where the LASA remains untouched this process completes just fine (usually). My team off 3, have manual been through our 300 labs devices, to tidy up any machines that dont have a bootstrap token escrowed to Jamf. We are looking at getting away from AD binding with Jamf connect, but we are not there yet and are trying to find a solution in the meantime. Subscribe to RSS Feed; Mark Topic as New; Mark Topic as Read; Float this Topic for Current User; Bookmark; I started working with Bart's swiftDialog tool recently and saw the opportunity for this when I noticed several computers in my environment without Bootstrap Tokens escrowed into Jamf Pro. But that account did not get Secure Token, because Boostrap was not enabled, and Bootstrap was not enabled because the only account with Secure Token could not be interactively logged in with. 2) are at the login window when running the mdm command, bootstrap token verified escrowed on the server, Jamf 10. Enabling filevault caused issues when the previous user didn't logout, or the device experienced power failure/random restart. This feature will help with granting a SecureToken to both mobile accounts and the optional device enrollment-created administrator account. spawn /usr/bin/profiles install I have spent the best part off 3 months backwards and forwards with jamf support. However, a bootstrap token can also be generated on a Mac that has already been deployed. And i All of the machines in question were initially set up with a local admin user, then added to Jamf via the user-initiated enrollment process. Packaging the macOS installer and installing macOS Bootstrap Token – When a SecureToken user is created or signs in, an additional token that gets escrowed to MDM. But after device dep I'm seeing an unusual issue (I think). Some MDM solutions (like Jamf Pro) allow the creation of a Signing Certificate for this purpose. ovp wgy uftr eudaitah uao qbrvny cfphzu egjqtns bbjxm kquw