Script to manage Secure Tokens on macOS 10.14.2+

Just a quick post before heading into the weekend, and leaving Secure Tokens far behind me for a couple of days. I just want to share this attempt to make a script to manage Secure Tokens prior to enabling FileVault.

The idea is to make sure that you have an Administrator Account with a Secure Token in case you want to be able to manipulate the tokens/FileVault later. This is especially important in case you are limiting the end user to creating a non-admin/standard account or using managed mobile accounts at automated enrolment.

As said in my previous post, you want to avoid enforcing FileVault on a non-admin if you need multiple accounts with Secure Tokens. Once the only token holder is not an admin, it’s game over. Unless I’m really missing something. In that case, please share!

I made the script with the idea to run it before enabling FileVault. But you could run it afterwards…. if the end user is an Admin token holder.

To automate Secure Token manipulation, we need the credentials of both the granting as the receiving user account. I’m passing the Admin credentials via the $4 and $5 variable in Jamf Pro, but have a look at this gitHub link in case you want to add more security.

I also kept a few ‘echo’ statements in the script for troubleshooting.

Hereby the link to the script. Let me know what you think! Useful? Comment or remarks? Please let me know!


Print Friendly, PDF & Email

6 thoughts on “Script to manage Secure Tokens on macOS 10.14.2+”

  1. I tried something to avoid asking the end user for his/her password.

    This by using sysadminctl to grant a token to itself post enrolment. This works if there are no token holders. Just like the command I used in the script to grant a token to both the ‘IT Admin’ and the end user.

    However, because the ‘IT Admin’ becomes the token holder, the end user standard account without a token can’t enable FileVault. I ended up having the error on the profile again. You will have to grant the end user a token… ending up asking for the password again.

    This means that there is not workaround. If you want to manipulated tokens, you have to ask the end user for his/her password, whatever approach you take.

    This makes me believe that my script applied post enrolment, before enabling FileVault is the only way to go.

    In case you do end up with a non-admin token holder (and no admin token holder available) you can actually promote the end user to admin, manipulate the tokens and demote again. Dirty but it works and it’s the only workaround.

    Please tell me if you find something I am missing!

  2. Can you help, I have manny endusers who are not admin but have token and admin does not. Can you point out where I can promote/demote automatically in the script?

    1. Hi Daniel, I added a piece of code on line 138 which promotes the Standard Account, grants a token to the ‘IT Admin’ account, and demotes the user again.

      Please test before using in production, and let me know if it works for you. I just tested it and all seems fine.

  3. Hi TTG,

    Testing out your script. When I run it as an end user it prompts me for a password to enable FileVault, am I suppose to enter the end user’s password there? If so, I keep getting a return message that the password is incorrect. Can you advise on what I could be doing wrong.

    1. Hi! Well, the script is actually made to be used remotely in Jamf Pro. It actually does not enable FileVault, but as I mentioned in the comments at the bottom, you could. The idea of the script is to fix Secure Tokens. This for the different scenarios as outlined in the script where you might have a Mac with no Secure Token holders, or only some user accounts.

      As discussed in my previous posts there have been issues with macOS Mojave 10.14.1 where you might end up with a Mac with no Secure Token holder and no way to fix it due to a bug. This has been fixed in 10.14.2 and my script is an example of how you could manage the different scenarios.

      The fact is, you need to be an admin to manage Secure Tokens, and to grant another user account a token you need the password of that account. Hence the idea is that you use a known admin account (with or without token), and ask the end user for its password if you want to give that end user a token.

      You could do that manually on the device by using the sysadminctl command, but the idea is to do this remotely. Because the script is intended to be used via Jamf Pro I used variables in the script.

      # additional Admin credentials
      #add encryption

      Those can be passed via a Jamf Pro policy. The user account of the end user will be fetched in the script and the user password will be prompted.

      If however you want to run the script locally, you will have to change it. Either hard code the admin account and password, or script a prompt for it.

      The question is however, why would you script this if locally you could just use the sysadminctl command with appropriate flags following the situation you want to fix.

      As said, the script is just to cover all possible scenarios remotely.

Leave a Reply

Your email address will not be published. Required fields are marked *