Does anyone know how the "Allow user to be granted first secure token" workflow functions?

Question

I'm trying to figure out how "Allow user to be granted first secure token" functions on the back end. I have seen a few tools that will generate the first secure token for a local account they create if the secure token has not been generated yet. Apple is claiming this is impossible, which has me wanting to know how it works even more. Anyone know the terminal command the Jamf binary is using for this?

New Features and Enhancements - Jamf Pro Release Notes 11.2.0 | Jamf

Tribruin · Accepted Answer

It has been a while since I have looked at this, but reading from Apple's Secure Token documentation:

In macOS 11 or later, setting the initial password for the very first user on the Mac results in that user being granted a secure token. In some workflows, that may not be the desired behavior, as previously, granting the first secure token would have required the user account to log in. To prevent this from happening, add ;DisabledTags;SecureToken to the programmatically created user’s AuthenticationAuthority attribute before setting the user’s password, as shown below:

sudo dscl . -append /Users/<user name> AuthenticationAuthority ";DisabledTags;SecureToken"

If I am reading this correctly, if you have a policy that creates the first user BEFORE another user is created, that first user will get a Secure Token, if you don't set the tag. In most cases, that is probably not what you want, so Jamf defaults to setting the tag when creating the user.

However, if, for some reason, you want that policy created user to get the Secure Token before anyone logs in, you can disable the Tags, which SHOULD give the first user an ST.

This sounds vaguely familiar, but I could be wrong.

This is your answer!

I’ll just add that by default, Jamf have chosen to make sure this user does not get a token, which is the correct thing to do unless explicitly chosen.
Any user that is created and has its password set programatically, will receive a token.

This was how some of us were made sure, our secure token workflow could apply to our local accounts, before first login (without needing to touch a device).

Bol · Answer

It has been a while since I have looked at this, but reading from Apple's Secure Token documentation:

In macOS 11 or later, setting the initial password for the very first user on the Mac results in that user being granted a secure token. In some workflows, that may not be the desired behavior, as previously, granting the first secure token would have required the user account to log in. To prevent this from happening, add ;DisabledTags;SecureToken to the programmatically created user’s AuthenticationAuthority attribute before setting the user’s password, as shown below:

sudo dscl . -append /Users/<user name> AuthenticationAuthority ";DisabledTags;SecureToken"

If I am reading this correctly, if you have a policy that creates the first user BEFORE another user is created, that first user will get a Secure Token, if you don't set the tag. In most cases, that is probably not what you want, so Jamf defaults to setting the tag when creating the user.

However, if, for some reason, you want that policy created user to get the Secure Token before anyone logs in, you can disable the Tags, which SHOULD give the first user an ST.

This sounds vaguely familiar, but I could be wrong.

This is your answer!

I’ll just add that by default, Jamf have chosen to make sure this user does not get a token, which is the correct thing to do unless explicitly chosen.
Any user that is created and has its password set programatically, will receive a token.

This was how some of us were made sure, our secure token workflow could apply to our local accounts, before first login (without needing to touch a device).

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded