Skip to main content
Solved

Unable to REMOVE Secure Token from a user

  • August 10, 2023
  • 5 replies
  • 1043 views
macservit
Forum|alt.badge.img+6

I'm currently working on a workflow to resolve some missing Secure Tokens for users at a client site. Because I don't want to test on production machines, I've got a machine here that I've enrolled in my own Jamf tenant to test against. My issue? I can't REMOVE Secure Token from one of the test users on this machine so I can test the script.

FV is not enabled, the admin user has Secure Token. I run the following command in CLI and get an error:

sudo sysadminctl -adminUser <username> -adminPassword <password> -secureTokenOff <username> -password <user-password>    

Result: "Operation is not permitted without secure token unlock"

(I also played around with the order of things in the command, no difference)

My GoogleFu is failing me because everything I'm finding relates to ADDING Secure Token to a user who does not already have it. 

 

Can anyone shed some light on this for me? Thanks

 

Best answer by macservit

Thanks for all the replies. At the end of the day, the solution was to leverage the Interactive switch in the command. I used the following:

sudo sysadminctl -secureTokenOff <username> -password <userpass> interactive

The username was for the account I was removing Secure Token from. I was then prompted for the logged-in admin credentials.

    5 replies

    TheAngryYeti
    Forum|alt.badge.img+8
    • TheAngryYeti
    • Employee
    • August 10, 2023

    You cannot remove secure token programmatically from the only/last holder on the machine.  You must have another user that HAS it in order to revoke it from the other.  

    macservit
    Forum|alt.badge.img+6
    • macservit
    • Author
    • Contributor
    • August 10, 2023

    You cannot remove secure token programmatically from the only/last holder on the machine.  You must have another user that HAS it in order to revoke it from the other.  


    Sorry my post wasn’t clear. I have 2 users with Secure Token. Admin account plus “sacrificial” test account that needs to have the token removed.

    Sam Bergin
    President & Founder
    856-243-0150
    www.Macserv.com
    TheAngryYeti
    Forum|alt.badge.img+8
    • TheAngryYeti
    • Employee
    • August 10, 2023
    Sorry my post wasn’t clear. I have 2 users with Secure Token. Admin account plus “sacrificial” test account that needs to have the token removed.

    Sam Bergin
    President & Founder
    856-243-0150
    www.Macserv.com

    HA! Ok.  I've have varying success with what you posted above in the past, yet Ive had great success using the interactive commands with it.  Rich does a great job in the mini videos showing how to enable it, just need to substitute the syntax, as long as you are in the account you want to keep ST on you should be able to complete it.

    D
    Forum|alt.badge.img+3
    • DG_Edwards
    • New Contributor
    • August 11, 2023

    If you're looking to create test accounts that don't have a secure token the quickest way to accomplish that is to create a policy in jamf with the local accounts payload and put in whatever information you were looking for.  I was testing something else around secure tokens and i learned that these accounts when created and deployed won't have a secure token until you attempt to login with them.  

    macservit
    Forum|alt.badge.img+6
    • macservit
    • Author
    • Contributor
    • Answer
    • August 11, 2023

    Thanks for all the replies. At the end of the day, the solution was to leverage the Interactive switch in the command. I used the following:

    sudo sysadminctl -secureTokenOff <username> -password <userpass> interactive

    The username was for the account I was removing Secure Token from. I was then prompted for the logged-in admin credentials.

    Terms & ConditionsCookie settingsAccessibility statement