Hi Community, The Leverage macOS has with Bootstrap token is immense using the same for Software Updates, Erase Device and new Local Account Creation in System Settings While I refer From IT Deployment Guide Which States the below For a Mac with macOS 10.15.4 or later, when a secure token-enabled user logs in for the first time, macOS generates a bootstrap token and escrows it to a device management service. I even tested out the Statement using Automated Device Enrollment Workflow ( With AutoAdmin Account Only, With Both AutoAdmin Account , Primary Account ) and it Granted BootStrap Token Immediately upon login How ever with User-Initiated Enrollments it differs like below Sometimes upon installation of MDM Profile in macOS Immediately the BootstrapToken is sent to MDM Sometimes the BootStrapToken is not immediately sent, so I need to logout , login with the Secure Token enabled user for macOS to escrow BootStrapToken to MDM Sometimes Even when I followed the pointer as in 2) like logout / login from a SecureToken Enabled user the BootStrapToken is not escrowed to MDM , Which Affects the OSUpdates, Erasing Capabilities to be used precisely with MDM Protocol Can someone Please Help with the Flow for BootStrapToken Generation / issuance to MDM incase for User-Initiated Enrollment

Hello, I'm working in the team with 70 i(Pad)OS test devices running 24/7, and 40 of them are iOS 18 or 26. The problem is: for enterprise apps to be tested (signed with ADEP inhouse profile) the devices over iOS 18 require Enterprise App developers to be allowed at least once with physical control on-device after reboot, which is quite burdensome because we put all the devices in the restricted area, supposed to be used from the remote. Devices are logged into Apple ID for the prevention of Activation Lock but no preparation nor management via MDM over Apple Configurator 2. Is there any binary, tool, app that can check (letting us allow devices for those developers would be even better) if the Enterprise App developer(s) are allowed for the device via terminal or VNC?

I’m working on a product that includes TLS inspection capability. TLS inspection using a local MitM requires installing a trusted root certificate which is then used to create masquerade certificates to intercept and forward TLS traffic through the proxy. For manual installation the end user is required to authenticate as an administrator to modify the trust settings on our internal CA’s root certificate. My question concerns the options for enterprise deployment using an MDM. We want the generated root certificate to be unique to each endpoint so that if a private key is compromised it can’t be used to intercept traffic anywhere else. We can install a “certificate trust” configuration profile from the MDM but this requires a base64 encoded string of the root certificate. In effect the MDM needs to obtain the certificate from the endpoint and then send it back in the form of a configuration profile. I’m not aware that MDMs like Jamf can be configured to do this directly so we’re looking for any other mechanism to have macOS trust a locally generated certificate via MDM based on some non endpoint-unique criteria? One option might be to use an external CA with a trusted certificate to sign an intermediate endpoint certificate but this creates a significant risk if the external trusted certificate were ever compromised. Is this a common industry practice? So my question remains is there a better way to trust our per endpoint root certificate via MDM without needing to install a unique per endpoint configuration profile?

Hello together, I'm currently trying to implement a simple way to use the new LOM commands for our new mac infrastructure. My MDM sollution is a custom instance of MicroMDM. MDM profiles are working fine, but when I send a https://developer.apple.com/documentation/devicemanagement/lom_device_request_command with any command (Reset, PowerON, PowerOFF), then it doesn't reset/restart/start the target Mac. Host X has a device profile and host Y a controller profile. Host/Mac Y = fe80::YYYY:YYYY:YYYY:8608 Host/Mac X = fe80::XX:XXXX:XXXX:cfab Now, if I send a LOM request for Mac Y to reset Mac X, I get the error "Address already in use" on Mac X (logs via log stream) log stream (private logs) And wireshark on Mac X shows there is traffic, but MacX does not respond to anything, not even tcp syn packages. This error is really weird, because there are no special ports running on that mac and I don't know what Port lightsoutmanagementd tries to listen to. lsof | grep LISTEN | grep -i ipv6 launchd 1 root 7u IPv6 0x457f571ac3303fd7 0t0 TCP *:ssh (LISTEN) launchd 1 root 11u IPv6 0x457f571ac33015d7 0t0 TCP *:rfb (LISTEN) launchd 1 root 27u IPv6 0x457f571ac3303fd7 0t0 TCP *:ssh (LISTEN) lightsout 112 root 4u IPv6 0x457f571ac3302ad7 0t0 TCP *:55555 (LISTEN) kdc 143 root 5u IPv6 0x457f571ac33023d7 0t0 TCP *:kerberos (LISTEN) screensha 403 root fp.u IPv6 0x457f571ac33015d7 0t0 TCP *:rfb (LISTEN) (fileport=0x2103) screensha 403 root 3u IPv6 0x457f571ac33015d7 0t0 TCP *:rfb (LISTEN) ARDAgent 535 devops 9u IPv6 0x457f571ac33031d7 0t0 TCP *:net-assistant (LISTEN) Did anyone have the same problem, or maybe can hint me in the right direction? I currently don't have a clue, what I can do next.

Hi Apple Community, We are using Automted Device Enrollment to Enroll macOS Devices and we used to Create AutoAdmin, PrimaryAccount using the Command Account Configuration . As a Part of Primary Account Creation while testing we see that BootStrap Token is Escrowed to MDM, and SecureToken is Created to Primary Account. The Primary Account user will enable FileVault as part of our process. As Tested internally, we seen that SecureToken is escrowed to AutoAdmin only when BootStrapToken is escrowed to MDM By device and AutoAdmin logs in then. That too After FileVault Unlock Since we Sendout the Laptop to users to setup themselves there are no chances of AutoAdmin Login to occur. And it defeats the purpose of having the AutoAdmin Account in emergency situation to login into it from Login Window. Can someone confirm if this behavior is expected and what are the expectation and recommendations from Apple on when to use AutoAdmin Account. Is there any other ways to use AutoAdmin directly from LoginWindow Before To FileVault Disk Unlock