Hi all! First of all, I hope that you and your family are ok and doing well during these weird times! Take care and stay safe!
It has been a while since I posted a new blog, but things got busy. Yes, the whole messed up 2020 situation does impact the daily routine, but apart from this I’ve been busy with another little project. Spoiler alert, but I’ve been writing all my “Managing FileVault in macOS Catalina” findings into a book which will be submitted to the Apple Book Store later today (not sure how long the review will take, but I’ll keep you posted). 85 pages, so there is quite some content to read for those who are not up to speed with FileVault, Secure- and Bootstrap Token yet!
That said, the book does not mean that I’ll stop writing blog posts on the matter! So, as Apple released the 10.15.4 let’s have a look at what changed regarding FileVault: Bootstrap Token changes!
Prior to 10.15.4, the Bootstraptoken (if supported by the MDM server) would only automatically be generated if the Setup Assistant was creating an admin account for the end user. Bootstraptoken did not enable automatically if the account creation was limited to standard or skipped entirely.
With 10.15.4 or above, we now also automatically get the Bootstraptoken generation if the account creation is limited to standard! Skipping account creation still does NOT enable Bootstrap at initial deployment.
However, if we end up with a supervised computer, without Bootstrap, macOS will now also enable Bootstrap upon the first login by a SecureToken-enabled account. This means that if you skipped user creation during the Setup Assistant, but enabled FileVault or generated a SecureToken for an account by any other means, that account will trigger the generation of the Bootstraptoken upon it’s next login.
NOTE: Bootstraptoken can only be enabled on supervised devices = enrolled via Automated MDM enrollment.
Those 2 changes simplify the deployment in view of having a SecureToken enabled admin account for when the Mac admin or Sys admin needs to access the computer, and avoid having to use the FileVault Recovery Key.
NOTE: these changes regarding when and how Bootstrap gets enabled do NOT change the behaviour of the Bootstrap token itself. It will still ONLY generate a SecureToken for the 'Managed Admin' or any mobile account logging in after Bootstrap has been escrowed. Any other local account will still NOT get a SecureToken via Bootstrap. Remember: the 'Managed Admin' is the additional admin account created by MDM in the background of the Setup Assistant. Not any other account created by scripted solutions or MDM frameworks.
Hereby 2 new flowcharts:
That’s it for this quick update! Let me know if I missed something, and more about the book coming up later!
As always, if you liked the post, hit the like button, tell your friends about it and leave a comment down below!