Join the Mac Admins Slack channel #book-managing-filevault to discuss the book! https://www.macadmins.org/

Quick message to announce that an update version of the book has been processed.

IMPORTANT: to update the book on macOS, delete it from your library and download it again. It seems that the Books app on macOS doesn't trigger the update notification.

I realised that the discussion on the generation of SecureToken and Bootstrap needed a bit of extra clarification!

As we know, if the account creation is skipped during the Setup Assistant, Bootstrap is not automatically enabled. However, like I mentioned a few times in the book, macOS 10.15.4 does try to escrow Bootstrap when a SecureToken-enabled user logs in. So far so good.

However, there are organisation who do indeed skip user creation, in view of binding the Mac to Active Directory, but log in with the “by MDM created admin account” prior to handing over the Mac to the end user. In this situation, a side effect of the changes introduced by macOS 10.15.4 might cause confusion.

As the system is most likely still token-less at this point, the action of logging in through the Login Window with a local admin account, triggers the generation of a SecureToken. Again, so far so good, as explained in the book and previous blog post.

However, similar to what I discussed in the annex about Jamf Connect Login, macOS immediately considers this freshly tokenised account as “a login with a SecureToken-enabled account” and so, as the Mac is supervised in this scenario, it tries to escrow Bootstrap (if the MDM server is compatible).

This might cause confusion if you consider the official Apple Documentation literally, saying ‘Bootstrap will can not be generated automatically if the account creation is skipped entirely’. Yes it is 100% correct, but the above side effect of the 10.15.4 update could in practise be understood differently.

Apart from rewriting a paragraph in the ‘Generating SecureToken‘ chapter (with the above clarification), I also completely rewrote the section ‘Fixing SecureToken Issues‘. The above clarification had consequences on how I explained the scenarios where SecureToken fixes might be required. And while rereading this section again, even after doing so multiple times prior to publishing the book, I realised it was ‘a bit’ chaotic and subject to dangerous potential misunderstandings.

Hence I decided to clear my twisted brain and rewrite the section, simplifying the scenarios to what really matters and add a better logic and structure. Hope I did not completely mess up you brain with the initial version. If so, just read the new version of that section in v2 of the Book.

The update passed review already and those who purchased the book should get a notification about the new version soon. It might however take a moment for the Apple Books to propagate the update.

As this was quite an important correction and clarification, I decided to push out a version 2. For future incremental updates regarding smaller corrections, I might not dedicate a blog post on it, and only mention it on the following page dedicated to the book: https://travellingtechguy.eu/book-managing-filevault-in-macos-catalina/

Brgds,

TTG