HomeKb › Bootstrap token skip account creation
Knowledge base · macOS

Bootstrap token quietly never escrows when you skip account creation in Setup Assistant

Zero-touch macOS flows that suppress the account-creation pane can leave no bootstrap token in your MDM — and nothing tells you. The token only escrows at the next login of a SecureToken-enabled account, so kernel extension approval, managed software updates and FileVault automation break later, on a seemingly random subset of the fleet. Here is what the two tokens actually are, and the one command that turns this from a mystery into a checklist item.

The problem

Your Automated Device Enrollment flow looks healthy: the Mac enrols, profiles land, apps install. Weeks later, failures start appearing that seem unrelated and random:

The common thread: these Macs went through a Setup Assistant flow that skipped local account creation — an MDM-created admin account, a shared or lab Mac, a kiosk build, or a Platform SSO enrolment. This bites Intune-first admins especially hard, because Windows Autopilot has no equivalent concept: on macOS, a critical device credential is minted as a side effect of a human logging in, and if your flow removes that login, the credential simply never exists.

Why it happens

Two tokens with confusingly similar names do different jobs:

SecureTokenBootstrap token
ScopePer user accountPer device
What it isA wrapped key encryption key (KEK) protected by the user's passwordA device-level token generated on the Mac and escrowed to the MDM server
Where it livesOn the Mac, bound to the accountIn your MDM's device record
What it enablesUnlocking the FileVault-encrypted volume for that accountMDM granting SecureTokens to new accounts; authorising kernel extensions and software updates on Apple silicon; Erase All Content and Settings; Platform SSO account creation
When it is createdAccount creation, password set, or first loginGenerated and escrowed on the first login by a SecureToken-enabled user (macOS 10.15.4+)

That last row is the trap. Apple's deployment guide states the bootstrap token is generated and escrowed automatically "on the first login by any secure token-enabled user". If Setup Assistant never creates an account, no SecureToken-enabled user logs in during provisioning — and, as FileWave's documentation puts it, the SetBootstrapToken request is never transmitted to the MDM server. As the Travelling Tech Guy documented when testing macOS 11.0.1:

"Bootstrap however, is NOT immediately enabled" when account creation is skipped — it escrows "at the next login of a SecureToken-enabled account."
— Travelling Tech Guy, "FileVault, SecureToken and Bootstrap in macOS 11.0.1 Big Sur"

This is why the failures look random: on some Macs a human eventually logged in with a token-enabled account and escrow quietly happened; on others nobody ever did, so the MDM holds no bootstrap token. On Apple silicon that matters doubly, because the bootstrap token holder gets volume ownership — the thing MDM needs to authorise kernel extensions and software updates without a user present. Note the prerequisites too: the Mac must be enrolled via Automated Device Enrollment (supervised), and your MDM must support bootstrap token escrow.

The fix

1. Verify escrow — do not assume zero-touch handled it

On the Mac:

sudo profiles status -type bootstraptoken

You want two YES lines: Bootstrap Token supported on server: YES and Bootstrap Token escrowed to server: YES. Cross-check the device record in your MDM — Intune and Jamf both surface a bootstrap-token-escrowed flag.

2. If it says NO, force the escrow

3. Fix the flow, not just the device

How Decolla handles it

Straight answer: it doesn't. Decolla provisions Windows devices over your own Intune and Autopilot tenant — it does not manage Macs, so it will never run this check for you on macOS.

What Decolla is built against is exactly this class of failure: a provisioning step that silently doesn't happen and only surfaces weeks later as apparently random breakage. Every Decolla deployment starts from a written, itemised plan — each item with its delivery method and reversibility class stated — approved before anything runs, and The Library bakes in recurring helpdesk fixes so known silent-failure patterns on the Windows side are checked rather than assumed. If you run a mixed fleet, apply the same discipline to your Mac builds: verification as a named step, never an assumption. Decolla is pre-launch; there is a waitlist at decolla.app.

Sources

See it on a real device.

Decolla is in private build — early-access members see a build defined, deployed and rolled back first.

Get early access