Question

Beating a deadhorse - SecureTokens, Management Accounts, and Filevault

Forum|Forum|7 years ago
May 3, 2018
31 replies
190 views

+22

boberito
Jamf Heroes

I imagine I'm not alone on this. I set up a 10.13.4 machine with DEP.

In the prestage enrollment, I have it create our admin account(account ID of 501, not a hidden account). Skip the setup user stuff and most the setup assistant.

I thought I figured out how to get a secureToken, that if I logged in as our local management admin account as the first user instead of an AD account(which creates a managed mobile account). It would give the management account the secureToken and no problems and I could then use FileVault on the machine. I swear this was working. And now it isnt....

Has anyone figured out a workaround or solution?

I've thought about when I redo a machine from scratch we could install 10.12, set everything up then upgrade to 10.13. This will work with machines we currently own but not newly purchased. I've also thought about squeezing the last life out of imaging since you can(but shouldn't) image using HFS+.

Show first post

Forum|pagination.label 2 / 2

+11

szultzie
Valued Contributor
Forum|Forum|7 years ago
May 15, 2018

So just a follow up, turns out I hit this PI.

(PI-005185) macOS DEP management account creation variations

"Management account home directory is created in /Users/ and UID is set to 501 (first account created)

If you enable the Account Settings payload none of the accounts created get a secureToken which should be granted to the first account created and is needed for filevault functionality."

So hopefully it gets fixed in the next version of Jamf Pro.

-Peter

wolftech
Contributor
Forum|Forum|7 years ago
June 15, 2018

I'm running JSS 10.5.0... I've just confirmed that using the "Change Account Password" option under the Management Accounts payload in a JAMF policy will both change the management account's password AND enable the secureToken for that account.

Tested on a couple machines.

Still need a way to deal with our local admin account as "Change Account Password" isn't an option under the Local Accounts payload... still, progress...

wolftech
Contributor
Forum|Forum|7 years ago
June 16, 2018

huzzah!... and now that the Management account has secureToken, able to write a script that will then turn it on for our local admin account as well... with zero interaction with the user (who already has the token since they're the one who either logged in first or did the upgrade from 10.12).

+15

apizz
Honored Contributor
Forum|Forum|7 years ago
June 16, 2018

That's fantastic news! So theoretically, machine gets enrolled, you change the password on the management account to get it the secureToken, and then you create your local user accounts so that they get the secureToken as well?

wolftech
Contributor
Forum|Forum|7 years ago
June 17, 2018

Hrm... caveats... the computers I'm testing on were upgraded to 10.13 -- but originally were 10.12.6 machines with FV2 enabled (IRK + PRK) which already had local account, local admin, and management account all FV2 enabled.

Beginning tests on new 10.13 machines now. Initial test failed.

Trying to get my new FV2 for 10.13 machines ConfProf setup correctly to mirror my old 10.12 setup. I'm hoping the IRK might be the diff.

But I'm worried that its the fact that the management account was already FV2 enabled -- even though it didn't have the SecureToken and thus was behaving like it wasn't FV2 enabled -- that allowed the change paswd option to work.

(update: Confirmed that the machines where this is working does list all of the users when running sudo fdesetup list -- even though two of them don't have secureToken enabled. )

+15

apizz
Honored Contributor
Forum|Forum|7 years ago
June 17, 2018

@wolftech hmmm ... I'm wondering then if the initial efforts regarding the secureToken should be getting it to the management account so that subsequent users created via policy also get it ...

Forum|pagination.label 2 / 2

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded