Using Bootstrap Token to Create Secure Tokens Automatically on macOS Devices

Before you begin

  • This feature is supported on macOS devices running OS version 11 or later with macOS Agent 15.2.1 or later that are enrolled in SOTI MobiControl version 15.5.2 or later.
  • Any macOS account is required to be secure token enabled.

About this task

In earlier macOS versions, the secure token was generated for local user accounts or Administrators, but mobile/network logins were blocked from logging into the device until the local user or Admin that held the secure token logged into the device. Apple automated the process of generating the secure token for mobile and network logins using the new bootstrap token concept starting with macOS Catalina. With bootstrap token, all mobile accounts that log in automatically get a secure token without having to hand one off manually.

For more information about secure token and bootstrap token, see Use secure token, bootstrap token, and volume ownership in deployments.

When you enable bootstrap token support on SOTI MobiControl, after a user who is secure token-enabled logs in to the device for the first time, a bootstrap token is generated and escrowed to SOTI MobiControl for use by additional logins.
Note: Once a bootstrap token is enabled for a machine, all the mobile users who successfully login on that machine will get a secure token, and the secure token will persist even after bootstrap token is disabled from the machine by turning off the Enable Bootstrap Token toggle. The secure token needs to be deleted from the machine manually using scripts on device.

Procedure

  1. In a Device Group that contains macOS devices, right-click the name of the group and select Advanced Configurations.
  2. Select Apple from the drop-down list.
  3. From the list of Advanced Configurations, click Bootstrap Token (macOS only).

    Image of the Bootstrap Selection in Advanced Configurations.

  4. Turn on the Bootstrap Token Options as described in Bootstrap Token Settings (macOS Only)
  5. Click Save.
    All applicable macOS devices in the Device Group are now enabled for bootstrap token. When the first admin account is created for devices in this group, the bootstrap token will be sent from the device to SOTI MobiControl for escrow. If you set up admin accounts previously for these devices, the token is passed at the next admin login event. When subsequent mobile accounts log into the device, the bootstrap token is retrieved from SOTI MobiControl and a secure token will be enabled on the account.

Monitoring Bootstrap Tokens on a Device

Procedure

  1. Click a device name to open its Device Information panel.
  2. Click the Logs tab. Any bootstrap token activity is logged as an event in the device log, which allows you to see the success or failure of token creation, requests, and deletion.
  3. Click the Device Details tab. In the Security section, SOTI MobiControl will show the current status of the bootstrap token for this device:

    Boostrap Token information shown in the Device Details tab.

    • NA: the device does not support bootstrap token.
    • Not Configured: the device supports bootstrap token, but no token is escrowed in SOTI MobiControl yet.
    • Configured: the device supports bootstrap token, and a token is currently escrowed in SOTI MobiControl.

Troubleshooting Bootstrap Tokens on Device Using Script Commands

About this task

If the logs indicate an issue with bootstrap token, you can send scripts to the device to learn more and make changes to the state of the bootstrap token:
Command Description Command Example
Generate bootstrap token and send to SOTI MobiControl server manually. sudo profiles install -type bootstraptoken
Remove bootstrap token and clear from SOTI MobiControl server manually. sudo profiles remove -type bootstraptoken
View status of bootstrap token. sudo profiles status -type bootstraptoken
Validate the bootstrap token. When you trigger this command on the device, a call is sent to the SOTI MobiControl server for GetBootStrapToken. sudo profiles validate -type bootstraptoken
List the users that hold a secure token. sudo fdesetup list
Check secure token status for a particular user. sysadminctl -secureTokenStatus <UserName>
Enable and disable secure token.

sysadminctl -adminUser "Admin" -adminPassword “password” -secureTokenOn "localAdmin" -password “password”

sysadminctl -adminUser "Admin" -adminPassword “password” -secureTokenOff "localAdmin" -password “password”