Introduction
This article is intended for datajar.mobi customers (Fully Managed, Self managed and Hybrid) who have Apple Silicon Mac computers under management. The Bootstrap Token is effectively a cryptographic certificate generated by Mac computers when enrolled into a Mobile Device Management (MDM) server. The MDM server stores a record of the token safely.
What is a Bootstrap token?
The Bootstrap Token was originally introduced by Apple to allow users to more easily enable FileVault on Mac computers managed by MDM servers (such as datajar.mobi) in organisations. With the advent of Apple Silicon, the Bootstrap Token performs more privileged management actions on computers they manage, including the below:
- Authorise the installation of Configuration Profiles to allow legacy System Extensions (Kernel Extensions)
- Perform operating system updates
- Perform a fast ‘Erase All Content and Settings’ action when a remote wipe command is issued
Computers will normally generate and escrow a Bootstrap Token with datajar.mobi when they are enrolled. In some circumstances, this may not occur. Follow the steps below to generate and escrow a Bootstrap Token if needed manually.
Generating and escrowing a Bootstrap Token via the graphical user interface (GUI) (best when you have physical access):
- Ensure you have the password for a local administrator account (dataJAR support can provide this information if needed)
- Log into the Mac with the local administrator account
- Open Self Service from the Applications folder and click "Submit Inventory to datajar.mobi" - this may take a couple of minutes to complete.
- The computer should now have a Bootstrap Token - to verify this, run the following command in Terminal:
- sudo profiles status -type bootstraptoken
Generating and escrowing a Bootstrap Token with the command line from a remote computer (best when you have remote access and are comfortable using the Terminal commands):
- Using a remote PC running PuTTY or Mac computer with Terminal, open an SSH connection.
- Ensure you have the password for a local administrator account (dataJAR support can provide this information if needed)
- If using Terminal from another Mac computer, enter the following command to open the SSH connection:
-
- ssh username@hostname (where username is the local administrator username and hostname is the name or IP address of the target Mac)
- Enter yes if prompted to store a session key etc.
- Enter the password for the target computer’s local administrator account
-
- When you have an active connection, enter the following commands:
-
- sudo profiles install -type bootstraptoken
- Enter the unique password for the target computer’s local administrator account
- Enter the local administrator’s username and password again when prompted
- You should see confirmation that a bootstrap token has been escrowed to the MDM server.
-
- Run the command: sudo jamf recon
Further information
Use secure token, bootstrap token and volume ownership in deployments (Apple): https://support.apple.com/en-gb/guide/deployment/dep24dbdcf9e/web
Need further support?
Automate. Simplify. Succeed. If you still require assistance with us or have any further questions, please raise a ticket with our support team.
Alternatively, please see our frequently updated knowledge base articles for reference.