macOS® Catalina™ Secure Token

With the introduction of macOS^® 10.15 (also known as Catalina), there have been a number of changes announced to the overall infrastructure to manage a Mac^® laptop or desktop. One of the areas in particular is the effects of macOS Catalina on the Secure Token feature. These changes are presenting potential issues and the opportunity for streamlined solutions to Mac admins, so let’s see what there is to do about it.

What is Secure Token?

For many Mac admins, the Secure Token feature introduced with macOS High Sierra has been a cause for great consternation. It has forced IT teams to adjust their management workflows to be able to administer and manage devices properly, given that Secure Tokens are critical in order to safely create Mac users and manage their FileVault full disk encryption (FDE) credentials.

Apple^® introduced Secure Token as a method of creating a “chain of trust” on a machine. The result was that only a trusted user could be created from another trusted user, and only those trusted users could leverage FileVault. This ensured that—from Apple’s perspective—the machine and users on it would be secure.

The Problem with Secure Token

The challenge presented by the introduction of Secure Token was that the chain of trust ultimately made user and FileVault management much more challenging. An organization’s mobile and network accounts with Apple devices did not have the ability to create users that would be granted Secure Tokens.

Only the original user on the machine was granted a Secure Token and only that account could go on to create subsequent users that would properly be granted a Secure Token. This overhead severely impacted the ability of Mac admins to remotely manage their fleet of Mac systems.

In light of this, JumpCloud introduced innovative functionality to automate the remote management of Secure Tokens across an entire fleet of Mac machines. This support dramatically changed the game for IT admins to introduce and manage FileVault within an organization. Of course, pending the arrival of Catalina, Secure Token management might be changing altogether again.

The macOS Catalina Secure Token

With the release of macOS Catalina, it seems as though Apple is continuing to double down on their support of Secure Token as the method to securely manage users and FileVault on systems.

While the specific details of Catalina Secure Token capabilities will only be known when the final version of the OS ships, it is believed that Apple is introducing further controls over the management of Secure Tokens. At this moment in time, it doesn’t seem as though Apple is deviating from its original position: the primary user created at the initial bootstrapping of the machine is still granted the initial Secure Token and only those users can grant further Secure Tokens.

It does seem that, with Apple’s increased controls, it will ultimately be easier for IT admins to manage their fleets. For instance, the Catalina release notes claim to improve user creation specifically regarding MDMs, using a feature called “bootstrap tokens” to avoid some of the aforementioned Secure Token issues met while logging on to FileVault-enabled systems.

What macOS Catalina Means to JumpCloud

Regardless of where Apple’s macOS Catalina Secure Token work ends up, JumpCloud’s support for managing and controlling user identities on macOS systems and device management capabilities will continue to evolve to match the OS’s capabilities, as well as our customers’ needs. If you would like to learn more about JumpCloud’s Secure Token fixes, please contact us for more information.