Secure Token for a local admin

I would recommend this blog post:

Additional admin with SecureToken, or not? - Travelling Tech Guy

In short, there is no easy way to do what you are asking. So, the question then becomes why do you need your local admin to have a Secure Token? What are you trying to accomplish that requires your local admin to have a secure token?

For example, we use Automox for updates. To enable automox, it requires an account with a secure token to authorize.
Also, it would just be nice if our local admins have absolute, full access on the machine. Instead of leaning on users to approve things while we troubleshoot, if needed.

I'll check the article though, thanks.

You hit the nail on the head; the only way for a user to gain a secure token is either through a login to the endpoint or an existing user with a token to grant it. Fortunately, there are scripts that can be leveraged for the latter which avoids the standard user needing admin rights to enable your local admin account for a secure token.

As a general rule I recommend against having a generic management account having a secure token, but you know your situation/needs.

Thanks. I ended up talking to Automox (the main reason we need the secure token) and they have a workaround for situations where only the local user has one, so I think I got this solved without requiring a secure token on the admin account.
I still don't like this though, it seems strange that the local user (standard or admin either way) is the gatekeeper for things, rather than simply letting admins manage the device 100%, but hey I don't work for Apple and apparently they know better than I do lol. Thanks.

Thanks for your post. 

To confirm, there is no way to generate a securetoken for an account without providing the password of an existing account that has one ? 

From what I've read, sysadminctl requires the password of an existing account which is the part that drives me nuts. Trying to find a way to do this via JAMF without having to provide a password. 

Only users that have logged in to mac get a secure token.Only admins with a secure token, can create new tokens with terminal.

Did this get solved for you, if so how? We're trying to do this for our already deployed M1 macs with as little user intervention as possible. 

There is no solution, you need to login to the mac to get a token. Meaning, local admins won't receive on natively.

How did you work around it in your post above? Did you log the admin account into all of your mac deployments?

We just dont have secure tokens for our local admins. Only the user does. It's a pain, but welcome to the mac admin world I guess.

Though specifically for Filevault enablement, there is a script that Jamf shared with me that will enable filevault under the running user. If that would help, but it doesn't grant local admin a secure token.

Hi AlexSoo,

Do you have automox documentation link for this? 
Or do you have more details on this work around? 
I'm implementing automox and having this exactly same issue. 

Thank you

We're evaluating Automox & have run into the same snag that AlexSoo mentioned in this thread. Was there ever a solution found on how to automate this securely? 

Here's an automox documentation link for this:

https://docs.automox.com/product/Product_Documentation/Agents/Agent_Installation/Install_and_Configure_Automox_Agent_for_Apple_Silicon_Devices.htm