Secure Token and Bootstrap Token: Changes in macOS Big Sur

At WWDC 2020, Apple announced some exciting changes coming to Bootstrap Token and Secure Token on macOS Big Sur. In this guide, we’re going to take a look at how these tokens work and what the latest changes mean for device management for Mac computers.

Here’s a quick overview of what we’ll cover:

What’s New with Big Sur?
What’s Secure Token?
What’s Bootstrap Token?
How to Acquire Bootstrap Token

What’s New in Big Sur?

Apple announced several changes at WWDC concerning macOS Secure Token and Bootstrap Token with macOS Big Sur:

Bootstrap Token will now be leveraged to grant any user a Secure Token when they log in graphically to macOS. Previously, the Bootstrap Token was only leveraged to grant Secure Token to Mobile Directory Accounts and an Auto Admin account.
For future devices running macOS Big Sur with Apple Silicon, MDM will require a Bootstrap Token in order to approve and load Kernel Extensions (KEXTs) and install Software Updates. This feature will be automatically enabled for devices enrolled via Automated Device Enrollment. For manually enrolled devices, this feature will be enabled via macOS Recovery.
Secure Token will be granted to the first account whose password is set. This excludes an Auto Admin account due to the fact that, when creating a Secure Token, macOS requires the password to be available in plain text; in the case of the Auto Admin account, the password for that account is set using a hash via an MDM command. Auto Admins can still be granted Secure Token simply by signing into the account graphically.
Bootstrap Token will still be escrowed to the MDM Server any time a Secure Token enabled user signs in.

bootstrap-tokens-big-sur 1-1 Over the next couple of sections, we’re going to explore what the changes coming to Mac, Secure Token, and Bootstrap Token mean for device management.

For a full breakdown of what's new with macOS Big Sur, read our comprehensive guide for Mac Admins.

What Is SecureToken?

On Mac, Secure Token was introduced as an account attribute in High Sierra. This attribute allows users to perform cryptographic operations. These cryptographic operations include enabling FileVault disk encryption and determining if a user can unlock a FileVault-encrypted volume at startup.

The Secure Token macOS attribute is automatically granted to two types of accounts, and once these accounts become Secure Token-enabled, they can transfer their enablement downstream when they create new local accounts.

Here are the two types of accounts that are automatically enabled for Secure Token:

Local Admin Accounts Created via Setup Assistant: The first account that’s created on a device will be granted the Secure Token attribute.
(on macOS Big Sur, Secure Token is now granted to the first account whose password is set, except for the Auto Admin created in a Automated Device Enrollment configuration). Once this account is Secure Token-enabled, any local accounts that it creates via System Preferences > Users & Groups will have the attribute too.
Local Admin Accounts Created via Automated Device Enrollment: If a local admin account is created during Automated Device Enrollment, it will also be granted a Secure Token. However, the admin must be the first user to log in.

The idea behind the Secure Token macOS attribute is that only trusted accounts (those that are granted Secure Token enablement) can use cryptographic operations, and create other accounts that are also Secure Token-enabled.

This creates a chain of trust for the device, only enabling users with the proper account attribute to access a FileVault-encrypted Apple File System (APFS) volume. However, this layer of security also presents a challenge for device management: how can IT remotely manage company devices in circumstances where users aren’t automatically granted Secure Token? We’ll look at that next.

Who Doesn’t Receive Secure Token?

If your deployment workflow involves creating accounts via command-line tools or otherwise bypassing Setup Assistant, you may run into some problems with Secure Token. As we mentioned earlier, Secure Token is passed down from one trusted account to another. However, if you create accounts using the following methods on a Mac, Secure Token will not be automatically granted:

Accounts Created via Command-Line Tools: If an account is created using packaged scripts, installers, or command-line tools, it will not receive the Secure Token attribute automatically.
Active Directory Mobile Accounts: If you bind to Active Directory, the account that logs in to the device first (which might be a directory account if you are skipping Setup Assistant account creation) will receive the Secure Token attribute. However, all future logins by this account and by the accounts that it creates will not receive the Secure Token attribute.

While Secure Token enablement isn’t automatically granted to these accounts, IT can still accomplish automatic enablement by leveraging the new capabilities of Bootstrap Tokens. We’ll take a look at this next.

What Is Bootstrap Token and What’s New in Big Sur?

As we mentioned in the last section, some methods of account creation don’t result in automatic Secure Token enablement. That’s where Bootstrap Token comes in. Bootstrap Tokens are encryption keys provided by an MDM server. Introduced in macOS Catalina, they primarily assist with enabling Secure Token for Active Directory mobile accounts or the Auto Admin account.

In short, Bootstrap Tokens let IT overcome the Secure Token issues that we mentioned earlier, and as of Big Sur, they’re required to approve and load KEXTs or install software updates onto an Apple Silicon device.

Before Apple introduced Bootstrap Tokens, IT had to create complicated workflows in order to grant the Secure Token macOS attribute to accounts. In some cases, this required entering login credentials for a Secure Token-enabled administrator in order to grant another user Secure Token.

By using Bootstrap Token in macOS Big Sur, IT can skip this process for any account on MDM-enrolled devices. Before macOS Big Sur, Bootstrap Token could only be used to grant Secure Token to network accounts and MDM-created Auto Admin accounts. Now, bootstrap token will be leveraged to automatically grant Secure Token to any macOS Account as it logs in graphically.

How to Acquire a Bootstrap Token

Now that we have a handle on the link between Secure Token and Bootstrap Token, let’s take a look at how IT can use Bootstrap Tokens to make sure eligible accounts are Secure Token-enabled. Before you can begin using Bootstrap Tokens, you need to meet a few requirements. These include:

An MDM solution that supports Bootstrap Token.
A Mac that is enrolled into an MDM and is supervised.
For macOS Devices running Big Sur, the device only needs to be enrolled with a User-Approved MDM status to be considered supervised.

On macOS 10.15.4 or later, a Bootstrap Token will be automatically generated and escrowed to your MDM solution any time a Secure Token–enabled user logs into the Mac.

Once a Bootstrap Token is escrowed to your MDM solution, macOS can request the token from the MDM whenever mobile accounts or Device Enrollment-created administrators (Auto Admin accounts) log in. At this point, macOS will generate a Secure Token unique to the account and the volume it’s accessing. With macOS Big Sur, Bootstrap Token will automatically be used to grant all macOS Accounts Secure Token as they log in graphically.

You can confirm locally on a Mac if Bootstrap Token has been escrowed to its MDM server, using the following Terminal Command:

sudo profiles status -type bootstraptoken

The command will return the following output if a Bootstrap Token has been escrowed.

profiles: Bootstrap Token escrowed to server: YES

Manually Generating Bootstrap Token

If you still need to manually generate and escrow a Bootstrap Token, you can use the /usr/bin/profiles command-line tool. If you enroll a Mac using macOS Catalina or later, then an MDM setting will be sent to the device automatically. This setting will make a Bootstrap Token available for escrow.

You can generate the Bootstrap Token manually by following these steps:

1. Open Terminal: On your Mac, navigate to Applications > Utilities > Terminal.

2. Verify Bootstrap Token Support: To make sure that Bootstrap Token is supported on your MDM server, run the command below. This command will return two lines, the first indicating if Bootstrap Tokens are supported by your MDM server, and the second to clarify if it has been escrowed or not.

sudo profiles status -type bootstraptoken

3. Generate and Escrow a Bootstrap Token: If your MDM solution supports Bootstrap Token and the token has not been escrowed, you can run the command listed below. Once the command runs, you will be asked to enter your admin username and password.

sudo profiles install -type bootstraptoken

4. Verify that it Worked: You can repeat the verification command introduced in step two to make sure that a Bootstrap Token has been generated and escrowed. For further verification, you can run the command below to see all cryptographic users.

diskutil apfs listcryptousers /

You will see an output similar to the following, notice the last Crypto user is the Bootstrap Token:

Cryptographic users for disk1s1 (3 found)

|

+-- FCAE3E14-7403-46A9-82D7-CC2686E76274

|   Type: Local Open Directory User

|

+-- EBC6C064-0000-11AA-AA11-00306543ECAC

|   Type: Personal Recovery User

|

+-- 2457711A-523C-4604-B75A-F48A571D5036

    Type: MDM Bootstrap Token External Key

About Kandji

Kandji, our MDM solution, already supports Bootstrap Token, and it’s packed with other features that make it easy to manage your devices, accounts, and security. With powerful capabilities like zero-touch deployment, one-click compliance, and offline remediation, Kandji has everything you need to enroll, configure, and secure your devices.