Skip to content
secure token, bootstrap token, and mac security: how they fit together
Blog Recent News Secure Tok...

Secure Token, Bootstrap Token, and Mac Security: How They Fit Together

Mike Boylan Mike Boylan
Staff Product Manager at Kandji
7 min read

It’s been more than five years since Apple introduced the concept of secure token in macOS. But for many Mac admins, that technology can still be a source of some confusion. It doesn’t help that, in the intervening years, Apple has evolved the technology significantly. Things have definitely come a long way since that initial launch of secure token.

In this post, we’ll provide an overview of:

  • What secure token does;
  • The role secure token plays in Mac security;
  • How bootstrap token fits into the picture; and 
  • The ways MDM can help keep it all out of sight and out of mind.

Mac Encryption: The Way It Was

In 2017, Apple introduced macOS High Sierra. It was a great release with a slew of new features. It also introduced a fundamental change to the platform: an entirely new filesystem to replace the decades-old HFS+. Apple Filesystem—more commonly referred to as APFS—was first released in iOS 10 in 2016 and came to Mac computers with solid-state drives the next year; it expanded to all Mac computers in 2018. 

Among other things, APFS changed the way FileVault encryption was handled. Apple replaced CoreStorage with a new native encryption format. Among other changes, that new format meant that turning on FileVault required something called a secure token. 

The trouble was Apple didn’t really document what secure token was or how to get one at the time. This wasn’t a problem for individual users setting up personal Mac computers at home using the normal Setup Assistant workflow. But it proved challenging for Mac admins: Because of the many permutations in how organizations set up computers and configured accounts, not all of their users got secure tokens. That left many Mac admins in a precarious situation: They needed to enforce FileVault on their fleets, but they couldn’t do so for all users due to that critical missing piece.

Fortunately, Apple listened to admin feedback and, with the release of macOS Catalina, began documenting secure token. Put simply, it’s an encryption key protected by a user’s password. The password is used to unlock the key, and then the key can be used by the operating system to authenticate the user. 

In macOS Catalina, Apple also introduced a new feature specifically to ease the challenge of working with secure token on MDM-managed Mac computers: bootstrap token.

MDM and Bootstrap Token

Bootstrap token is an MDM-only feature that helps with granting secure token and, on modern Macs with Apple silicon, something called volume ownership. (For the purposes of this post, secure token and volume ownership are so tightly coupled that we’re just going to continue referencing secure token.) 

The first secure token is granted to the account that logs into a Mac first at the login window (regardless of type, except for true network accounts) or is created in Setup Assistant, or to the first user to have the password set programmatically in plain-text using a tool like dscl or sysadminctl. If that first user is an admin, they can then grant secure token to other users.

When the first secure token is granted on a computer, and if your MDM system supports it (as Kandji does), macOS sends a message to the MDM server asking it to store a bootstrap token. You can think of bootstrap token as a special password for a special user that has secure token.

Once the bootstrap token is in place, macOS has access to a credential that can be used to authorize most actions on the system requiring a secure token, including granting one to other users. And it all happens behind the scenes: macOS silently asks MDM for it whenever it’s needed. This is far more seamless than needing your (or another user’s) password to be entered manually.

If you’re programmatically creating users, you can also use the profiles command-line tool to generate or remove a bootstrap token programmatically. Apple documents additional command-line tool invocations that are useful for the bootstrap token or checking for volume ownership on Apple silicon. To check that a user has a secure token, you can use the command sysadminctl -secureTokenStatus <username>.

Secure Token and Bootstrap Token Now

Fast forward to 2023, and it’s reasonable to ask if any of this really matters, given how streamlined the bootstrap token has made things. While it’s true that how and when various users on a Mac get a secure token should be far less of a concern with bootstrap token, the concepts absolutely still matter and it’s important for admins to understand them. 

On modern Macs with Apple silicon, the bootstrap token is required for MDM to manage software updates. Local users on the system need to be volume owners (and thus have a secure token) to be able to install such updates locally. And if users want to change startup settings or even install a new copy of macOS on Mac computers with Apple silicon, they’ll need volume ownership.

It’s also important to be aware of any scripts or tools you’re running or installing on your fleet that may make or modify local users or change when and how passwords are being set for those users; those finer details can influence whether or not the first secure token is granted to the right user, and whether or not a bootstrap token is created for the Mac at all. 

Another scenario that requires special consideration: shared Mac computers with Apple silicon. Because managing software updates with MDM on such computers requires a bootstrap token, you’ll likely want to log in as a user at least once before distributing them. That way, a bootstrap token will be created and available for use before the first actual user signs in. Alternatively, you can use the profiles command-line tool to generate the bootstrap token. Doing so, however, requires providing a password in plain text (such as in a script), so I’d recommend simply logging in to the Mac once before distributing it.

In summary, what this all means in practice is that as long as your MDM supports the bootstrap token, and you're making sure your setup workflow is ensuring one gets created, everything should “just work" from there.

About Kandji

Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to the way IT, InfoSec, and Apple device users work today and tomorrow.