Free Edition
What is MDM?
Enterprise Mobility Management
Mobile Device Management
Mobile Application Management
Mobile Security Management
Mobile Email Management
Mobile Content Management
BYOD
Compliance
- CJIS
- HIPAA
- ISO
- PCI
- GDPR
Awards & Reviews
Supported Platforms
- iOS
- Android
- Windows
- macOS
- Chrome OS
- Android Enterprise
- Samsung Knox
Related Products

How MDM Leverages macOS Bootstrap Token Feature to ease Device Management?

Bootstrap Token is an Apple-introduced feature (macOS 10.15+) that simplifies device management workflows for IT admins. ME MDM supports Bootstrap Token escrow, enabling seamless management of macOS devices.

Key Benefits of Bootstrap Token

Software Updates: Bootstrap Token allows MDM to bypass admin authorization during issuing Software Update Command by MDM. As a result, all software and patch updates deployed through EndpointCentral UEM on managed macOS devices install seamlessly without requiring user interaction.
New Local User Account Creation :Device uses a Bootstrap Token escrowed to MDM to automatically generates a SecureToken for any user account created during first login—whether through:
- Users & Groups
- EndpointCentral UEM User Management
- Platform SSO account creation in the login window
- Mobile account login in the login window
Erase All Content and Settings: The Bootstrap Token enables MDM to perform a silent erase of macOS device when executing a Complete Wipe command. It ensures that the operating system remains intact while only removing user data, eliminating the need for manual user intervention.

Bootstrap Token Creation and Escrow Steps

The Bootstrap Token is generated on the macOS device and escrowed to MDM when the first SecureToken-enabled user logs in for the first time.

Automated Device Enrollment (ABM/ASM Workflow): The Bootstrap Token is created and escrowed to MDM when the first user logs in, either:
- During Setup Assistant (as a Primary Account)
- Or as a Managed Administrator
User-Initiated Enrollment (Self/Invite Enrollment): The Bootstrap Token is generated and issued to MDM when the first SecureToken-enabled user logs in via the Login Window.

Bootstrap Token Management through profiles Command

Note : Bootstrap token is created by the Operating Sysyem (OS) and will be Set / Removed / Retrieved from the MDM by OS, There is no manual intervention needed from IT Admins to enable this feature. Incase when there is a need to work on it ( or) need for troubleshooting the below commands can be used.

The profiles command-line tool provides several operations for managing Bootstrap Tokens on macOS:

Install a Bootstrap Token:
Command: sudo profiles install -type bootstraptoken

Function: This command creates a new Bootstrap Token and automatically escrows it to the MDM server. To execute this operation successfully, the system requires authentication from an existing Secure Token administrator for initial token generation. ManageEngine MDM by default supports escrowing Bootstrap Token.
Remove a Bootstrap Token:
Command: sudo profiles remove -type bootstraptoken

Function: Deletes the existing Bootstrap Token from the Mac and revokes it from MDM.
Check Bootstrap Token Status:
Command: sudo profiles status -type bootstraptoken

Function: This command verifies whether Bootstrap token is support by MDM and Bootstrap token is escrowed to MDM or not.
Validate Bootstrap Token Support:
Command: sudo profiles validate -type bootstraptoken

Function: The command retrieves the bootstrap token from MDM and validates.