Skip to content

Troubleshooting

Jump to bottom
Bartłomiej Sojka edited this page Oct 11, 2024 · 2 revisions

If Bootstrap Buddy is not functioning as expected, consider the following before seeking assistance. Additionally, check our FAQ page for useful tips, including how to retrieve Bootstrap Buddy logs.

Is the plugin properly installed and configured?

The following indicators will be present on Mac computers when Bootstrap Buddy is installed and configured:

  • The Bootstrap Buddy bundle is installed at /Library/Security/SecurityAgentPlugins/Bootstrap Buddy.bundle

  • The output of /usr/bin/security authorizationdb read system.login.console contains the following line:

    <string>Bootstrap Buddy:Invoke,privileged</string>

Is the plugin up to date?

You can check which version of the Bootstrap Buddy bundle is installed with this command:

defaults read /Library/Security/SecurityAgentPlugins/Bootstrap\ Buddy.bundle/Contents/Info.plist CFBundleShortVersionString

The above could be incorporated into an extension attribute or a device fact in your management framework, if you choose.

You can also use this command to output the date/time Bootstrap Buddy was most recently installed:

date -r $(pkgutil --pkg-info com.inetum.Bootstrap-Buddy | awk '/install-time/ {print $NF}')

Is the user logging in a Volume Owner?

Bootstrap Buddy will only generate a new bootstrap token upon login if the user who is logging in is a Volume Owner.

The exact information that given user is a Volume Owner can be retrieved with the following:

USERNAME=user_here; diskutil ap listUsers -plist / | xmllint --xpath '//string[.="'$(sudo fdesetup list | awk -F, '/'$USERNAME'/{print $NF}')'"]/following-sibling::key[.="VolumeOwner"]/following-sibling::*[1]' - | tr -d '</>'

But it is by far overly complicated and usually just checking if the account is on a list of FileVault–authorized users should be enough:

sudo fdesetup list

Does the Mac have network connectivity?

If the Mac is offline at login time, the token validation will fail and Bootstrap Buddy will not take any action, allowing the login process to proceed.

Did your MDM retrieve the token?

Contact your MDM vendor for specifics.

Does the Mac have a broken MDM agent?

Check to ensure your Mac is still in communication with your MDM. Good indicators of this are:

  • System Settings > Privacy & Security > Profiles shows the expected profiles
  • Commands and profile installations/removals from your MDM server are not stuck in "pending" state
  • Running log stream --predicate 'process="mdmclient"' while initiating a push command from MDM shows some output

Are users being blocked from logging in?

See the Recovery page.

I’ve read all of the above and I’m still having a problem. How can I get help?

If you’re encountering issues not addressed above or on our FAQ page, please search our issues (both open and closed) to see whether your issue has already been addressed there. If not, you can open an issue.

For a faster and more focused response, be sure to provide the following in your issue:

  • Log output (see wiki for information on retrieving logs)
  • macOS version you’re deploying to
  • MDM (name and version) you’re using
  • What troubleshooting steps you’ve already taken
  • Any relevant error messages or unexpected behavior observed
Clone this wiki locally