Per the https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/mdmoptions/mdmoptions?changes=latest_minor
SettingsCommand.Command.Settings.MDMOptions.MDMOptions
the PromptUserToAllowBootstrapTokenForAuthentication default value is false.
Can you elaborate why the default value is false? From our testing on macOS 11 it would appear when the value is false, only the primary account is able to logon to the device because only the primary account can decrypt the encrypted volume. Any optional admin accounts that are created are unable to decrypt the value so consequently the optional admin account cannot logon. This seems like a big change in macOS 11 that should be called out.
We also noticed that any local users that were created while logged in as the primary account appear to inherit some permission that allows these local users to decrypt the volume and login.
SettingsCommand.Command.Settings.MDMOptions.MDMOptions
the PromptUserToAllowBootstrapTokenForAuthentication default value is false.
Can you elaborate why the default value is false? From our testing on macOS 11 it would appear when the value is false, only the primary account is able to logon to the device because only the primary account can decrypt the encrypted volume. Any optional admin accounts that are created are unable to decrypt the value so consequently the optional admin account cannot logon. This seems like a big change in macOS 11 that should be called out.
We also noticed that any local users that were created while logged in as the primary account appear to inherit some permission that allows these local users to decrypt the volume and login.