Jamf Connect, Big Sur, and Bootstrap Tokens: A Love Story

With macOS Big Sur, a device enrolled in Jamf Pro, a FileVault recovery key escrowed in the Jamf Pro server, additional users created on that device with Jamf Connect automagically receive a SecureToken to unlock the device.

January 4 2021 by

Sean Rabbitt

History: SecureToken and macOS Catalina

Simply put, to unlock FileVault on a macOS device, a user needs two things: a password and a SecureToken. Think of a password as a key to the house and the first SecureToken as the deed to the property with the user’s name on it. They’re the verified owner of the property. With deed in hand, the owner can hand out keys to whomever they desire.

In macOS Catalina, only a user with administrative rights could receive the deed to the property. Because only an admin user could receive the first SecureToken, the LAPSUser (Local Administrator Password Solution user) concept was co-opted from Windows; Jamf Connect would use an existing administrator user, authenticate with that user to get the SecureToken, enable FileVault, and then grant a SecureToken to a standard user created by Jamf Connect.

This system had a few disadvantages: macOS demanded there be an administrator account on a new computer coming in via automated device enrollment opening the door of potential password compromise; unless hidden, a user sees another user on the device; and if Jamf Connect made an administrator user instead of a standard user, the LAPSUser never got the SecureToken and broke other workflows designed around that administrator user.

Enter the Bootstrap Token

The Bootstrap Token was designed for user accounts managed with Active Directory (aka bound computers) to get additional SecureTokens for all new users if they were standard or administrator. The MDM would receive a Bootstrap Token which would allow the MDM provider to grant a SecureToken to additional users created on the computer.

The downfall of this is that an administrator user would need to make the first user account on the computer and then bind the computer to an on-premises Active Directory. This usually means hands on devices, breaking our zero touch workflow. Consequentially, the first “real user” of the computer would need to be made after the administrator unlocked FileVault, which means either writing down the admin password on a sticky note and handing it to the user (makingstandard user rights pointless) or, again, hands on computers.

Enter the Bootstrap Token round two: macOS Big Sur

In macOS Big Sur, the device no longer must be bound to Active Directory, and real local accounts can take advantage of the Bootstrap token. To achieve this, the device must:

  1. Be enrolled via Automated Device Enrollment (DEP) workflow OR be enrolled via User Approved MDM method(UAMDM) by a user who has a SecureToken
  2. The MDM provider must support Bootstrap Token

Jamf Connect and Big Sur

With Jamf Connect, macOS creates user accounts on-demand, just in time, based on a user’s credentials from their cloud identity provider. Combined with Jamf Pro, Jamf Connect can enable FileVault on initial startup of the computer, escrow the FileVault recovery key as an emergency “break glass” entry into a computer, and use the Bootstrap Token stored in Jamf Pro to get Secure Tokens for additional users after the initial user.

Jamf Connect also can use an attribute in the identity provider to determine if a user should receive administrator rights when the account is created. So now, a new user account can be created with standard rights, get a SecureToken, pass a Bootstrap Token to Jamf Pro, and additional users will also get a SecureToken, no admin account needed.

Here’s how it looks

Our first user opens their new computer, turns it on, and Jamf Pro takes over to set up the computer. The user signs in with their identity provider credentials and makes their first user account.

We can confirm that the first user is a standard user, and with the command:

 % diskutil apfs listcryptousers /

We can see the user now has a SecureToken and a Bootstrap Token was sent to the Jamf Pro server.

The first user then logs out of the computer (at this time, FileVault is still decrypted…)

and a new user account logs in:

Then, we open up System Preferences and can use the command:

 sysadminctl -secureTokenStatus [user short name here]

to make sure they too have a SecureToken.

And they do. No extra work needed.

Not a Jamf Connect or Jamf Pro user?

See how both can help your organization succeed with Apple

Want to know more?

Learn about Jamf Connect.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.

Tags: