Jamf Nation Community

Eskobar · ‎04-24-2023

Hello everyone,

I have noticed that out macs local admin account has secure token disabled. Standard accounts are not admin and have secure token enabled.

I wonder I can push a script on logged in accounts to enable secure token for local accounts.

I ran below command locally:

sudo sysadminctl -secureTokenOn "username" -password "password" -adminUser "username" -adminPassword "password"

Got error:

2023-04-24 11:37:52.233 sysadminctl[2349:18595] ### Error:-14090 File:/AppleInternal/Library/BuildRoots/a0876c02-1788-11ed-b9c4-96898e02b808/Library/Caches/com.apple.xbs/Sources/Admin_sysadminctl/addremoveuser/main.m Line:377

2023-04-24 11:37:52.234 sysadminctl[2349:18595] Operation is not permitted without secure token unlock.

Grat stand account admin rights: same,

Any idea?

rhoward · ‎04-24-2023

In order to give your users secure token rights it will either require user interaction or for you to know their passwords. We use something like this with user interaction:

#!/bin/bash

###############################################################################################################
## This Script will enable the secure Token on LDAP Accounts on Macs with an account that has a secure token ##
## This will only work if the LDAP User is logged in, and requires user interaction to enter their password  ##
###############################################################################################################


loggedInUser=$(stat -f %Su /dev/console)
UserPWD="$(osascript -e 'Tell application "System Events" to display dialog "Please Enter your Password:" default answer "" with hidden answer' -e 'text returned of result' 2>/dev/null)"



sysadminctl -adminUser YOURADMINUSER -adminPassword YOURADMINSUSERPASSWORD -secureTokenOn $loggedInUser -password $UserPWD

Jamf Nation Community

Enable secure token for local admin