Mac bootstrap token – FAQs
1. What is a bootstrap token?
The bootstrap token is used as an authentication method by Apple to authorize some critical system actions. These include granting of secure tokens to mobile and managed administrator accounts, as well as the authentication of Kernel Extensions and OS updates installation. In addition, the bootstrap token is required to execute the device wipe action through the Hexnode UEM console.
2. What is the difference between a secure token and a bootstrap token?
A secure token allows users to execute critical macOS system operations like enabling FileVault disk encryption and determining whether a user can access a FileVault-enabled volume. A secure token is granted to the first local user account created via the Setup Assistant or through Automated Device Enrollment.
Whereas the bootstrap token is a feature exclusive to macOS that requires the support of an MDM vendor. It is created and escrowed to the MDM server only during device enrollment. For Automated Device Enrollment method, the token is escrowed during the first account creation.
4. Which devices support bootstrap token?
Supervised devices running macOS 10.15 or later support the use of the bootstrap token.
5. How is the bootstrap token generated?
A bootstrap token is generated and escrowed to the Hexnode server during manual device enrollment (Open Enrollment or Authenticated Enrollment) method. For Automated Device Enrollment method, the bootstrap token is created when the user logs in for the first time on the device.
6. Is it possible to verify if the bootstrap token has been escrowed to the Hexnode console?
You can validate if a specific device has escrowed the bootstrap token by heading over to Manage > Select Device > Device Info > Security Info > Bootstrap Token.
7. How to escrow the bootstrap token for already enrolled devices?
The bootstrap token can be manually escrowed by running a terminal command.
sudo profiles install -type bootstraptoken
The linked documentation contains more information on how to escrow the bootstrap token for already enrolled devices.