Hi Apple Community,
We are using Automted Device Enrollment to Enroll macOS Devices and we used to Create AutoAdmin, PrimaryAccount using the Command Account Configuration . As a Part of Primary Account Creation while testing we see that BootStrap Token is Escrowed to MDM, and SecureToken is Created to Primary Account. The Primary Account user will enable FileVault as part of our process.
As Tested internally, we seen that SecureToken is escrowed to AutoAdmin only when BootStrapToken is escrowed to MDM By device and AutoAdmin logs in then. That too After FileVault Unlock
Since we Sendout the Laptop to users to setup themselves there are no chances of AutoAdmin Login to occur. And it defeats the purpose of having the AutoAdmin Account in emergency situation to login into it from Login Window.
Can someone confirm if this behavior is expected and what are the expectation and recommendations from Apple on when to use AutoAdmin Account. Is there any other ways to use AutoAdmin directly from LoginWindow Before To FileVault Disk Unlock