Using command-line tools
Command-line tools are available for managing Bootstrap Token, FileVault, and SecureToken. The Bootstrap Token is usually generated on the Mac and escrowed to the mobile device management (MDM) solution during the macOS setup process after the MDM solution tells the Mac that it supports the feature. However, a Bootstrap Token can also be generated on a Mac that has already been deployed. For example, if the MDM solution adds support for this feature after an initial deployment of macOS 10.15. The
profiles command-line tool has a number of new options to interact with the Bootstrap Token.
Commands to manage the Bootstrap token:
sudo profiles install -type bootstraptoken: This command generates a new Bootstrap Token and attempts to escrow it to the MDM solution. This command requires existing SecureToken administrator information to initially generate the Bootstrap Token, the MDM solution must support the feature, and the Mac must be enrolled in MDM and Apple School Manager or Apple Business Manager.
sudo profiles remove -type bootstraptoken: Removes the existing Bootstrap Token on the Mac and the MDM solution.
sudo profiles status -type bootstraptoken: Reports back whether the MDM solution supports the Bootstrap Token feature, and what the current state of the Bootstrap Token is on the Mac.
sudo profiles validate -type bootstraptoken: Verifies that the Bootstrap Token escrowed in the MDM solution is valid on the Mac.
fdesetup command-line tool
MDM configurations or the
fdesetup command-line tool can be used to configure FileVault. In macOS 10.15 or later, using
fdesetup to turn on FileVault by providing the user name and password is deprecated and won’t be recognized in a future release. Consider using deferred enablement using MDM instead. To learn more about the
fdesetup command-line tool, launch the Terminal app and enter
man fdesetup or
fdesetup help for additional information.
sysadminctl command-line tool
sysadminctl command-line tool can be used to specifically to modify SecureToken status for user accounts on the Mac. This should be done with caution and only when necessary. Changing the SecureToken status of a user using
sysadminctl always requires the user name and password of an existing SecureToken-enabled administrator, either interactively or through the appropriate flags on the command. Both
sysadminctl and System Preferences prevent the deletion of the last administrator or SecureToken-enabled user on a Mac. If the creation of additional local users is scripted using
sysadminctl, for those users to be enabled for SecureToken, current SecureToken-enabled administrator credentials are required to be supplied either using the interactive option or directly with the
-adminPassword flags with
sysadminctl -h for additional usage instructions.