Leveraging Apple's Bootstrap Token Functionality

Technical Articles

Solution

Application

Content Type

Technical Documentation

Utilities & Services

ft:locale

en-US

User accounts created on macOS can have a cryptographic attribute known as a secure token, which allows a user to interact with macOS services that require cryptographic privileges, such as FileVault authentication. On computers with Apple silicon, macOS will also grant a similar cryptographic attribute known as volume ownership to user accounts, allowing them to install software updates and manage legacy kernel extensions.

Bootstrap tokens are used to grant secure tokens and volume ownership to users logging in to a computer. Enrolled computers create and escrow a bootstrap token to Jamf Pro. A computer can then request a bootstrap token to grant secure tokens to users logging in to the computer. On computers with Apple silicon, macOS can request the bootstrap token from Jamf Pro when additional authorization from a volume owner is required, such as when issuing managed software update commands.

Note:

In macOS 10.15–10.15.7, macOS will only request the bootstrap token to grant a secure token to mobile accounts or to an administrator account created in a PreStage Enrollment.

For more information about the bootstrap token on macOS, see the following topics in Apple Platform Deployment:

For more information about using the bootstrap token to manage software updates, see Use MDM to deploy software updates to Apple devices in Apple Platform Deployment.