Note: have a look at my new post regarding additional admin accounts and SecureToken:

Just a quick post before heading into the weekend, and leaving Secure Tokens far behind me for a couple of days. I just want to share this attempt to make a script to manage Secure Tokens prior to enabling FileVault.

The idea is to make sure that you have an Administrator Account with a Secure Token in case you want to be able to manipulate the tokens/FileVault later. This is especially important in case you are limiting the end user to creating a non-admin/standard account or using managed mobile accounts at automated enrolment.

As said in my previous post, you want to avoid enforcing FileVault on a non-admin if you need multiple accounts with Secure Tokens. Once the only token holder is not an admin, it’s game over. Unless I’m really missing something. In that case, please share!

I made the script with the idea to run it before enabling FileVault. But you could run it afterwards…. if the end user is an Admin token holder.

To automate Secure Token manipulation, we need the credentials of both the granting as the receiving user account. I’m passing the Admin credentials via the $4 and $5 variable in Jamf Pro, but have a look at this gitHub link in case you want to add more security.

I also kept a few ‘echo’ statements in the script for troubleshooting.

Hereby the link to the script. Let me know what you think! Useful? Comment or remarks? Please let me know!