Skip to main content
Solved

No Secure Token User after Pre-Stage Enrolment macOS 10.15.3

  • February 18, 2020
  • 7 replies
  • 60 views
R
Forum|alt.badge.img+6

I am encountering the following problem:

Wenn enrolling a MacBook Pro (10.15.3) using the pre-stage enrollment I end up with 2 users:
501 - jamfAdmin (Configured in the pre-stage enrollment payload)
502 - local Admin (Configured Manually during the Setup)

The problem is that neither of these users has a secure token.
Trying to grant my local admin a secure token, does not work either as the local admin does not have a secure token unlock.

According to the following blog post: https://travellingtechguy.eu/macos-catalina-secure-tokens-part-1-local-accounts/
My created user should get a secure token.

Is anybody else experiencing the same problem or has some insight, as to why this issue is occurring.

Best answer by RolfZ

Hi, thank you all for helping me out. I am pretty sure, that I was able to isolate the problem.
It is as follows:
If you wipe the mac and perform an installation of Catalina using the network recovery, everything works, a user is created with a secure token, all is fine. (Prefill Primary account information had no effect, I got the same behaviour with it enabled and disabled)

Now since I was testing the prestage enrollment I created a time machine snapshot during the initial setup, before selecting the setup language. I then used this snapshot as a restore point, so I wouldn't always have to reinstall the whole OS just to test the process.

After extensive testing (Hence why it took me so long to respond, sorry) I can consistently reproduce the behaviour of having no user with a secure Token, only when restoring from the Time Machine snapshot.

My conclusion is, that when restoring this time machine backup, something gets messed up in the way users are given a secure token.

Another side effect, often (not always) the user creation would come back with an error when creating the user, the fix for the side effect was to perform an SCM and PRAM and NVRAM reset, then the user creation would work.

RainerNRW

7 replies

K
Forum|alt.badge.img+1

Hi Zurbrügg

have you tried skipping "Account Settings" Pane in PreStage Enrollment? JamfAdmin will be created anyway. I had a similiar problem with Jamfcloud 10.18.

R
R
Forum|alt.badge.img+6
  • RolfZ
  • Author
  • New Contributor
  • February 18, 2020

Hi Karsten Yes, I have tried to "Skip Account Creation". This then puts me in the situation were the JamfAdmin account is created and no other account. The problem is, that I don't have access to the JamfAdmin account, as we configured the management account to be created with a random and unique password. So, unfortunately, this is not an option :(

stevewood
Forum|alt.badge.img+38
  • stevewood
  • Hall of Fame
  • February 18, 2020

@RolfZ

I have seen situations where you get a "false positive", or is it a "false negative". Basically where no users appear to have a token, but when you attempt to enable FV while logged into the account created during Setup Assistant, that user actually does get a token granted. You should be able to use this command diskutil apfs listCryptoUsers / to determine if any users are enabled as crypto users. This should allow the user to be enabled for FV which grants the user a token.

I found that command, along with this one sudo fdesetup list -extended to be extremely useful in our troubleshooting efforts. Both of those came from this article: Apple releases long-awaited SecureToken documentation

R
A
Forum|alt.badge.img+4
  • ateazzie
  • Contributor
  • February 18, 2020

Hi, do you have pre-fill primary account information ticked, if so tick it off.

R
J
Forum|alt.badge.img+14
  • jtrant
  • Honored Contributor
  • February 19, 2020

What account does have a Secure Token? Run the commands below to find out:

List accounts by Generated UID: dscl . list /Users GeneratedUID
List users with Secure Token (use UID from above to identify): diskutil apfs listcryptousers /

This might help you narrow down the problem.

R
R
Forum|alt.badge.img+6
  • RolfZ
  • Author
  • New Contributor
  • Answer
  • February 21, 2020

Hi, thank you all for helping me out. I am pretty sure, that I was able to isolate the problem.
It is as follows:
If you wipe the mac and perform an installation of Catalina using the network recovery, everything works, a user is created with a secure token, all is fine. (Prefill Primary account information had no effect, I got the same behaviour with it enabled and disabled)

Now since I was testing the prestage enrollment I created a time machine snapshot during the initial setup, before selecting the setup language. I then used this snapshot as a restore point, so I wouldn't always have to reinstall the whole OS just to test the process.

After extensive testing (Hence why it took me so long to respond, sorry) I can consistently reproduce the behaviour of having no user with a secure Token, only when restoring from the Time Machine snapshot.

My conclusion is, that when restoring this time machine backup, something gets messed up in the way users are given a secure token.

Another side effect, often (not always) the user creation would come back with an error when creating the user, the fix for the side effect was to perform an SCM and PRAM and NVRAM reset, then the user creation would work.

K
R
Forum|alt.badge.img+6
  • RolfZ
  • Author
  • New Contributor
  • February 21, 2020

For completeness, here is the output of all the commands you guys asked me to run:
(Thanks again for the help)

roro@MacBook-Pro ~ % diskutil apfs listCryptoUsers /
Cryptographic users for disk1s5 (2 found)
|
+-- 8E36EBE6-F590-46F2-B472-57182A7AE05C
|   Type: Local Open Directory User
|
+-- 2457711A-523C-4604-B75A-F48A571D5036
    Type: MDM Bootstrap Token External Key



roro@MacBook-Pro ~ % sudo fdesetup list -extended
ESCROW  UUID                                                                     TYPE USER
        8E36EBE6-F590-46F2-B472-57182A7AE05C                             Unknown User
        2457711A-523C-4604-B75A-F48A571D5036                          Bootstrap Token


roro@MacBook-Pro ~ % dscl . list /Users GeneratedUID
_amavisd                 FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000053
_analyticsd              FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000107
…
daemon                   FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000001
jamf                     618AB5E4-5A2B-4BF4-8E95-63C69EDE1DD7
nobody                   FFFFEEEE-DDDD-CCCC-BBBB-AAAAFFFFFFFE
root                     FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000
roro                     8C509048-2940-49B0-9763-C28C5CAA7C7F
roro@MacBook-Pro ~ % diskutil apfs listcryptousers / 
Cryptographic users for disk1s5 (2 found)
|
+-- 8E36EBE6-F590-46F2-B472-57182A7AE05C
|   Type: Local Open Directory User
|
+-- 2457711A-523C-4604-B75A-F48A571D5036
    Type: MDM Bootstrap Token External Key

roro@MacBook-Pro ~ % dscl . list /Users GeneratedUID | grep 8E36EBE6-F590-46F2-B472-57182A7AE05C
roro@MacBook-Pro ~ % dscl . list /Users GeneratedUID | grep 2457711A-523C-4604-B75A-F48A571D5036
roro@MacBook-Pro ~ %
Terms & ConditionsCookie settingsAccessibility statement