When a user sets up a Mac on their own
When a user sets up a Mac on their own, IT departments don’t provision the actual device. All policies and configurations are provided using a mobile device management (MDM) solution or configuration management tools. Setup Assistant is used to create the initial local administrator account and the user is granted a SecureToken. If the MDM solution supports the Bootstrap Token feature and informs the Mac during MDM enrolment, a Bootstrap Token is generated by the Mac and escrowed to the MDM solution.
If a Mac is enrolled in an MDM solution, depending on the MDM features available, the initial account can be an administrator account or a local account. If the user is downgraded to a standard user using MDM, the user is automatically granted a SecureToken. If the user is downgraded, in macOS 10.15.4 or later, a Bootstrap Token is generated.
Note: If local user account creation in Setup Assistant is skipped altogether using MDM, and a directory service with mobile accounts is used instead, the directory user won’t be granted a SecureToken during login, and no Bootstrap Token will be generated. If there are no SecureToken users on the Mac, the mobile account can still be enabled for FileVault using deferred enablement and a SecureToken is granted to the user at the time that FileVault is turned on. Once the user is SecureToken enabled, in macOS 10.15.4 and later, a Bootstrap Token is automatically generated and escrowed to the MDM solution at login if it supports the feature.
In any of the above scenarios, because the first and primary user is granted a SecureToken, they can be enabled for FileVault using deferred enablement. Deferred enablement allows the organisation to turn on FileVault but defer its enablement until a user logs in to or out of the Mac. Itʼs also possible to customise if the user can skip turning on FileVault (including the option of setting a defined number of times). The end result is the primary user of the Mac — whether a local user of any type or a mobile account — being able to unlock the storage device when encrypted with FileVault.
On Mac computers where a Bootstrap Token was generated and escrowed to an MDM solution, if the managed administrator account logs in to the Mac at a future date and time, the Bootstrap Token is used to automatically grant a SecureToken, meaning the account is also enabled for FileVault and able to unlock the FileVault volume. To modify whether the managed administrator account can unlock the volume, the user can use:
fdesetup remove -user.