Quick post to share my attempt to visualise the flow of Secure and Bootstrap Token creation at initial setup of a Mac with macOS Catalina 10.15.

I’d would definitely recommend to read my previous posts first (Part 1 and Part 2) in order to have a better understanding of how Secure and Bootstrap tokens are being generated in Catalina.

In the below flowchart I DO NOT enable FileVault yet. As said it’s only intended to show the situation at initial deployment.

Quick Summary:

  • Both Standard as Admin Local Accounts, created by the Setup Assistant, get a Secure Token.

    As I mentioned in my previous post however, it seems that if there are NO token holders at all (in Catalina this is only possible when skipping account creation and logging in with a mobile account first), the next LOCAL ADMIN logging in through the login window, or su/login in Terminal, gets a Secure Token as well)
  • The existence of an account with a UID above 500 does not impact the creation of Secure Tokens anymore. On macOS Mojave the existence of another account with UID above 500 disabled the automatic generation of a Secure Token for accounts limited to Standard in the pre-stage. This was further impacted by the way the Jamf Pro pre-stage handles the creation of the Management Account. On macOS Catalina this impact is gone.
  • Only when keeping the setup assistant user creation to ADMIN, the Bootstrap Token is automatically generated. Skipping Account creation, or limiting the account to STANDARD, DISABLES the automatic Bootstrap creation.
  • NoMAD or Jamf Connect Login deployments are impacting the automatic generation of the Bootstrap token. If Account Creation is skipped, automatic Bootstrap token generation is DISABLED.
  • For pure Secure Token creation, the “NoMAD / Jamf Connect created accounts” follow the logic of LOCAL account like in Mojave.
!!! Only ADMIN accounts created via NoMAD / Jamf Connect Login automatically get a Secure Token (and only if it's the very first account logging in).

Unlike Standard accounts created in the Catalina Setup Assistant:
Standard Accounts created via NoMAD / Jamf Connect don't get a token in Catalina!!!

This means the Jamf Connect LAPS feature is still something to keep in mind.

See below for the flowchart.

Final notes:

For those situations where a Secure Token needs to be manipulated, e.g. granting another user a token, the mechanisms of Mojave remain valid (sysadminctl, create account via sys prefs, enabling FileVault…).

For those situations where the Bootstrap token needs to be manually enabled, the following command can be used:

 sudo profiles install -type bootstraptoken

or… scripted via expect/send commands (to be tested, there are some scripts in the wild already. Will test them soon).

Finally, just to wrap up this overview, remember that only Mobile Accounts or the “Managed Administrator” (NOT the same as the Jamf Management Account! ), will receive a Secure Token on their next login once the system has been Bootstrapped. Any other local accounts (including ‘NoMAD / Jamf Connect Login – created – accounts’), don’t.


That’s it! As always, if you liked the post, hit the like button, tell your friends about it and leave a comment down below!

Oh yes, if you’re really fan of fixing Secure Tokens, (or this blog, and you want to support it), get your T-Shirt HERE !