Script to manage Secure Tokens on macOS 10.14.2+

Just a quick post before heading into the weekend, and leaving Secure Tokens far behind me for a couple of days. I just want to share this attempt to make a script to manage Secure Tokens prior to enabling FileVault.

The idea is to make sure that you have an Administrator Account with a Secure Token in case you want to be able to manipulate the tokens/FileVault later. This is especially important in case you are limiting the end user to creating a non-admin/standard account or using managed mobile accounts at automated enrolment.

As said in my previous post, you want to avoid enforcing FileVault on a non-admin if you need multiple accounts with Secure Tokens. Once the only token holder is not an admin, it’s game over. Unless I’m really missing something. In that case, please share!

I made the script with the idea to run it before enabling FileVault. But you could run it afterwards…. if the end user is an Admin token holder.

To automate Secure Token manipulation, we need the credentials of both the granting as the receiving user account. I’m passing the Admin credentials via the $4 and $5 variable in Jamf Pro, but have a look at this gitHub link in case you want to add more security.

I also kept a few ‘echo’ statements in the script for troubleshooting.

Hereby the link to the script. Let me know what you think! Useful? Comment or remarks? Please let me know!


Print Friendly, PDF & Email

4 thoughts on “Script to manage Secure Tokens on macOS 10.14.2+”

  1. I tried something to avoid asking the end user for his/her password.

    This by using sysadminctl to grant a token to itself post enrolment. This works if there are no token holders. Just like the command I used in the script to grant a token to both the ‘IT Admin’ and the end user.

    However, because the ‘IT Admin’ becomes the token holder, the end user standard account without a token can’t enable FileVault. I ended up having the error on the profile again. You will have to grant the end user a token… ending up asking for the password again.

    This means that there is not workaround. If you want to manipulated tokens, you have to ask the end user for his/her password, whatever approach you take.

    This makes me believe that my script applied post enrolment, before enabling FileVault is the only way to go.

    In case you do end up with a non-admin token holder (and no admin token holder available) you can actually promote the end user to admin, manipulate the tokens and demote again. Dirty but it works and it’s the only workaround.

    Please tell me if you find something I am missing!

  2. Can you help, I have manny endusers who are not admin but have token and admin does not. Can you point out where I can promote/demote automatically in the script?

    1. Hi Daniel, I added a piece of code on line 138 which promotes the Standard Account, grants a token to the ‘IT Admin’ account, and demotes the user again.

      Please test before using in production, and let me know if it works for you. I just tested it and all seems fine.

Leave a Reply

Your email address will not be published. Required fields are marked *