When a user sets up a Mac on their own
When a user sets up a Mac on their own, IT departments don’t provision the actual device. All policies and configurations are provided using a solution or configuration management tools. Setup Assistant is used to create the initial local administrator account, and the user is granted a SecureToken. If the MDM solution supports the Bootstrap Token feature and informs the Mac during MDM enrollment, a Bootstrap Token is generated by the Mac and escrowed to the MDM solution.
If the Mac is enrolled in an MDM solution, the initial account may not be a local administrator account but rather a local standard user account. If the user is downgraded to a standard user using MDM, the user is automatically granted a SecureToken. If the user is downgraded, starting in macOS 10.15.4, a Bootstrap Token is generated.
Note: If local user account creation in Setup Assistant is skipped altogether using MDM and a directory service with mobile accounts is used instead, the directory user won’t be granted a SecureToken during login and no Bootstrap Token is generated. If there are no SecureToken users on the Mac, the mobile account can still be enabled for FileVault using deferred enablement and SecureToken is granted to the user at the time that FileVault is turned on. Once the user is SecureToken enabled, in macOS 10.15.4 and later, a Bootstrap Token is automatically generated and escrowed to the MDM solution at login if it supports the feature.
In any of the above scenarios, because the first and primary user is granted a SecureToken, they can be enabled for FileVault using deferred enablement. Deferred enablement allows the organization to turn on FileVault, but defer its enablement until a user logs into or out of the Mac. Itʼs also possible to customize if the user can skip turning on FileVault (optionally a defined number of times). The end result is the primary user of the Mac—whether a local user of any type or a mobile account—being able to unlock the storage device when encrypted with FileVault.
On Mac computers where a Bootstrap Token was generated and escrowed to an MDM solution, if the managed administrator account logs in to the Mac at a future date and time, the Bootstrap Token is used to automatically grant a SecureToken, meaning the account is also enabled for FileVault and able to unlock the FileVault volume. To modify whether the managed administrator account can unlock the volume, the user can use:
fdesetup remove -user.