There really is no easy way to do this. You could prompt the user for THEIR password in a script and then use the:

sysadminctl -secureTokenOn

command to enable a Secure Token. But that would require passing the admin's password in your script (or as arguments in Jamf). That is a very bad idea. 

FWIW, we don't worry about SecureToken for the admin. If a user forgets his password (the reason you most likely need to have the admin login after a reboot), we just use the PRK to unlock drive and reset the user password. 

@JureJerebic 

I wouldn't recommend creating the 1st user as admin like that.. There is an Big Sur bug that Apple won't fix that will cause the set up assistant to crash that was supposedly fixed in Monterey ( I don't believe that it is) ...  and the with the move to Apple silicon the idea of users not being admins is way more complicated than it's ever been  ... read this the section about Volume ownership.

https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web

With Apple thinking like this it's easy to see that if we do user management on the device we could be making a good decision now for Monterey, however it could break when the next major upgrade is released and there is no solution to fix/change the user config a head of time.

Sorry that I am making it worse.. but I would guess that in a few years everyone is going to have to be admin....

C

After reaching out to Jamf support, they gave me this link, which also helps a lot and comes to the same conclusions as you guys:

https://travellingtechguy.blog/additional-admin-with-securetoken-or-not/

What is PRK and how do we use it?

I'm also curious to know how to enable FileVault 2 for the local admin account, without any user intervention. The main reason we need the 'admin' account to be FileVault 2 enabled is due to CyberArk's installation. When using the commands -u & -p, it requires the 'admin' account to have a Secure Token (within FV2).

Can not be done as mentioned above. Either the admin user needs to login using their account (assuming a bootstrap token is escrowed) or a user with a Secure Token enables a ST for another user (which needs the user's password.) 

What are you running in to with CyberArk? We are in the process of rolling and haven't needed to worry about having a separate admin account. But, we haven't done more than install it with a basic policy. I am curious what you are trying to do. 

Hi thanks for the reply! According to CyberArk, the -adminUser & -adminPassword are required when creating the PKG. If they aren't included, devices will not get added in the vault and the password will not rotate. Is this not true?

Within CyberArk's Documentation, if you use -adminUser, a Secure Token (FileVault) is required.

This comes from their documentation here: https://docs.cyberark.com/Product-Doc/OnlineHelp/EPM/Latest/en/Content/Installation/macOS-InstallAgents.htm#Install

And in order to enable that FileVault Secure Token for the local admin user account, it requires manually intervention from each user. And that isn't an option considering we have 800+ MacBooks to configure.

This used to be possible in Jamf...

But ever since we upgraded way past 10.13, we are unable to use this Jamf method.

Is that to handle password rotation? I didn't build the installer for CyberArk for our environment, so I am not that familiar with the need for an admin username / password. I will have to ask my associate. 

Yes, I believe it is to handle the credential rotation, as well as check-in to the CyberArk Vault.

I also just noticed there's an environment parameter option. Where would I put that within Jamf? This may be the solution to my issue.