At WWDC 2020, Apple announced some exciting changes coming to Bootstrap Token and SecureToken on macOS Big Sur. In this guide, we’re going to take a deep dive into how these tokens work and what the latest changes mean for device management.
Here’s a quick overview of what we’ll cover:
- What’s New with Big Sur?
- What’s SecureToken?
- What’s Bootstrap Token?
- How to Acquire Bootstrap Token
What’s New with Big Sur?
Apple announced several changes at WWDC concerning macOS SecureToken and Bootstrap Token with macOS Big Sur:
- Bootstrap Token will now be leveraged to grant any user a SecureToken when they log in graphically to macOS. Previously, the Bootstrap Token was only leveraged to grant SecureToken to Mobile Directory Accounts and an Auto Admin account.
- For future devices running macOS Big Sur with Apple Silicon, MDM will require a Bootstrap Token in order to approve and load Kernel Extensions (KEXTs) and install Software Updates. This feature will be automatically enabled for devices enrolled via Automated Device Enrollment. For manually enrolled devices, this feature will be enabled via macOS Recovery.
- SecureToken will be granted to the first account whose password is set. This excludes an Auto Admin account due to the fact that, when creating a SecureToken, macOS requires the password to be available in plain text; in the case of the Auto Admin account, the password for that account is set using a hash via an MDM command. Auto Admins can still be granted SecureToken simply by signing into the account graphically.
- Bootstrap Token will still be escrowed to the MDM Server any time a SecureToken enabled user signs in.
Over the next couple of sections, we’re going to explore what the changes coming to Mac, SecureToken, and Bootstrap Token mean for device management.
For a full breakdown of what's new with macOS Big Sur, read our comprehensive guide for Mac Admins.
On Mac, SecureToken was introduced as an account attribute in High Sierra. This attribute allows users to perform cryptographic operations. These cryptographic operations include enabling FileVault disk encryption and determining if a user can unlock a FileVault-encrypted volume at startup.
The SecureToken macOS attribute is automatically granted to two types of accounts, and once these accounts become SecureToken-enabled, they can transfer their enablement downstream when they create new local accounts.
Here are the two types of accounts that are automatically enabled for SecureToken:
- Local Admin Accounts Created via Setup Assistant: The first account that’s created on a device will be granted the SecureToken attribute.
(on macOS Big Sur, SecureToken is now granted to the first account whose password is set, except for the Auto Admin created in a Automated Device Enrollment configuration). Once this account is SecureToken-enabled, any local accounts that it creates via System Preferences > Users & Groups will have the attribute too.
- Local Admin Accounts Created via Automated Device Enrollment: If a local admin account is created during Automated Device Enrollment, it will also be granted a SecureToken. However, the admin must be the first user to log in.
The idea behind the SecureToken macOS attribute is that only trusted accounts (those that are granted SecureToken enablement) can use cryptographic operations, and create other accounts that are also SecureToken-enabled.
This creates a chain of trust for the device, only enabling users with the proper account attribute to access a FileVault-encrypted Apple File System (APFS) volume. However, this layer of security also presents a challenge for device management: how can IT remotely manage company devices in circumstances where users aren’t automatically granted SecureToken? We’ll look at that next.
Who Doesn’t Receive SecureToken?
If your deployment workflow involves creating accounts via command-line tools or otherwise bypassing Setup Assistant, you may run into some problems with SecureToken. As we mentioned earlier, SecureToken is passed down from one trusted account to another. However, if you create accounts using the following methods on a Mac, SecureToken will not be automatically granted:
- Accounts Created via Command-Line Tools: If an account is created using packaged scripts, installers, or command-line tools, it will not receive the SecureToken attribute automatically.
- Active Directory Mobile Accounts: If you bind to Active Directory, the account that logs in to the device first (which might be a directory account if you are skipping Setup Assistant account creation) will receive the SecureToken attribute. However, all future logins by this account and by the accounts that it creates will not receive the SecureToken attribute.
While SecureToken enablement isn’t automatically granted to these accounts, IT can still accomplish automatic enablement by leveraging the new capabilities of Bootstrap Tokens. We’ll take a look at this next.
What is Bootstrap Token and What’s new in Big Sur?
As we mentioned in the last section, some methods of account creation don’t result in automatic SecureToken enablement. That’s where Bootstrap Token comes in. Bootstrap Tokens are encryption keys provided by an MDM server. Introduced in macOS Catalina, they primarily assist with enabling SecureToken for Active Directory mobile accounts or the Auto Admin account.
In short, Bootstrap Tokens let IT overcome the SecureToken issues that we mentioned earlier, and as of Big Sur, they’re required to approve and load KEXTs or install software updates onto an Apple Silicon device.
Before Apple introduced Bootstrap Tokens, IT had to create complicated workflows in order to grant the SecureToken macOS attribute to accounts. In some cases, this required entering login credentials for a SecureToken-enabled administrator in order to grant another user SecureToken.
By using Bootstrap Token in macOS Big Sur, IT can skip this process for any account on MDM-enrolled devices. Before macOS Big Sur, Bootstrap Token could only be used to grant SecureToken to network accounts and MDM-created Auto Admin accounts. Now, bootstrap token will be leveraged to automatically grant SecureToken to any macOS Account as it logs in graphically.
How to Acquire a Bootstrap Token
Now that we have a handle on the link between SecureToken and Bootstrap Token, let’s take a look at how IT can use Bootstrap Tokens to make sure eligible accounts are SecureToken-enabled. Before you can begin using Bootstrap Tokens, you need to meet a few requirements. These include:
- An MDM solution that supports Bootstrap Token.
- A Mac that is enrolled into an MDM and is supervised.
- For macOS Devices running Big Sur, the device only needs to be enrolled with a User-Approved MDM status to be considered supervised.
On macOS 10.15.4 or later, a Bootstrap Token will be automatically generated and escrowed to your MDM solution any time a SecureToken enabled user logs into the Mac.
Once a Bootstrap Token is escrowed to your MDM solution, macOS can request the token from the MDM whenever mobile accounts or Device Enrollment-created administrators (Auto Admin accounts) log in. At this point, macOS will generate a SecureToken unique to the account and the volume it’s accessing. With macOS Big Sur, Bootstrap Token will automatically be used to grant all macOS Accounts SecureToken as they log in graphically.
You can confirm locally on a Mac if Bootstrap Token has been escrowed to its MDM server, using the following Terminal Command:
sudo profiles status -type bootstraptoken
The command will return the following output if a Bootstrap Token has been escrowed.
profiles: Bootstrap Token escrowed to server: YES
Manually Generating Bootstrap Token
If you still need to manually generate and escrow a Bootstrap Token, you can use the /usr/bin/profiles command-line tool. If you enroll a Mac using macOS Catalina or later, then an MDM setting will be sent to the device automatically. This setting will make a Bootstrap Token available for escrow.
You can generate the Bootstrap Token manually by following these steps:
1. Open Terminal: On your Mac, navigate to Applications > Utilities > Terminal.
2. Verify Bootstrap Token Support: To make sure that Bootstrap Token is supported on your MDM server, run the command below. This command will return two lines, the first indicating if Bootstrap Tokens are supported by your MDM server, and the second to clarify if it has been escrowed or not.
sudo profiles status -type bootstraptoken
3. Generate and Escrow a Bootstrap Token: If your MDM solution supports Bootstrap Token and the token has not been escrowed, you can run the command listed below. Once the command runs, you will be asked to enter your admin username and password.
sudo profiles install -type bootstraptoken
4. Verify that it Worked: You can repeat the verification command introduced in step two to make sure that a Bootstrap Token has been generated and escrowed. For further verification, you can run the command below to see all cryptographic users.
diskutil apfs listcryptousers /
You will see an output similar to the following, notice the last Crypto user is the Bootstrap Token:
Cryptographic users for disk1s1 (3 found)
| Type: Local Open Directory User
| Type: Personal Recovery User
Type: MDM Bootstrap Token External Key
Kandji, our MDM solution, already supports Bootstrap Token, and it’s packed with other features that make it easy to manage your devices, accounts, and security. With powerful capabilities like zero-touch deployment, one-click compliance, and offline remediation, Kandji has everything you need to enroll, configure, and secure your devices.