Does anyone know how the "Allow user to be granted first secure token" workflow functions?

AJPinto
Esteemed Contributor

I'm trying to figure out how "Allow user to be granted first secure token" functions on the back end. I have seen a few tools that will generate the first secure token for a local account they create if the secure token has not been generated yet. Apple is claiming this is impossible, which has me wanting to know how it works even more. Anyone know the terminal command the Jamf binary is using for this?

 

 

AJPinto_1-1724356816634.png

New Features and Enhancements - Jamf Pro Release Notes 11.2.0 | Jamf

1 ACCEPTED SOLUTION

Tribruin
Valued Contributor II

It has been a while since I have looked at this, but reading from Apple's Secure Token documentation:

In macOS 11 or later, setting the initial password for the very first user on the Mac results in that user being granted a secure token. In some workflows, that may not be the desired behavior, as previously, granting the first secure token would have required the user account to log in. To prevent this from happening, add ;DisabledTags;SecureToken to the programmatically created user’s AuthenticationAuthority attribute before setting the user’s password, as shown below:

sudo dscl . -append /Users/<user name> AuthenticationAuthority ";DisabledTags;SecureToken"

If I am reading this correctly, if you have a policy that creates the first user BEFORE another user is created, that first user will get a Secure Token, if you don't set the tag. In most cases, that is probably not what you want, so Jamf defaults to setting the tag when creating the user. 

However, if, for some reason, you want that policy created user to get the Secure Token before anyone logs in, you can disable the Tags, which SHOULD give the first user an ST.

This sounds vaguely familiar, but I could be wrong.

View solution in original post

4 REPLIES 4

Tribruin
Valued Contributor II

It has been a while since I have looked at this, but reading from Apple's Secure Token documentation:

In macOS 11 or later, setting the initial password for the very first user on the Mac results in that user being granted a secure token. In some workflows, that may not be the desired behavior, as previously, granting the first secure token would have required the user account to log in. To prevent this from happening, add ;DisabledTags;SecureToken to the programmatically created user’s AuthenticationAuthority attribute before setting the user’s password, as shown below:

sudo dscl . -append /Users/<user name> AuthenticationAuthority ";DisabledTags;SecureToken"

If I am reading this correctly, if you have a policy that creates the first user BEFORE another user is created, that first user will get a Secure Token, if you don't set the tag. In most cases, that is probably not what you want, so Jamf defaults to setting the tag when creating the user. 

However, if, for some reason, you want that policy created user to get the Secure Token before anyone logs in, you can disable the Tags, which SHOULD give the first user an ST.

This sounds vaguely familiar, but I could be wrong.

Bol
Valued Contributor

This is your answer!

I’ll just add that by default, Jamf have chosen to make sure this user does not get a token, which is the correct thing to do unless explicitly chosen. 
Any user that is created and has its password set programatically, will receive a token.

This was how some of us were made sure, our secure token workflow could apply to our local accounts, before first login (without needing to touch a device). 

AJPinto
Esteemed Contributor

Amazing thank you. I had stumbled across something similar last night from the traveling tech guy. Seems this is known as the "Race Condition". 

Bol
Valued Contributor

I haven't seen it called that before and I've read those blogs, so it may be something slightly different within organising a particular token holder workflow (timing is important, as always!)
If you want to read more, here is Apple's documentation on secure token deployment / commands as mentioned above;

https://support.apple.com/en-au/guide/deployment/dep24dbdcf9e/1/web/1.0

Bol_0-1724426107541.png