Help

Enable secure token for local admin

Eskobar
Contributor

Posted on ‎04-24-2023 02:51 AM

Hello everyone,

I have noticed that out macs local admin account has secure token disabled. Standard accounts are not admin and have secure token enabled.

I wonder I can push a script on logged in accounts to enable secure token for local accounts.

I ran below command locally:
sudo sysadminctl -secureTokenOn "username" -password "password" -adminUser "username" -adminPassword "password"

Got error:
2023-04-24 11:37:52.233 sysadminctl[2349:18595] ### Error:-14090 File:/AppleInternal/Library/BuildRoots/a0876c02-1788-11ed-b9c4-96898e02b808/Library/Caches/com.apple.xbs/Sources/Admin_sysadminctl/addremoveuser/main.m Line:377
2023-04-24 11:37:52.234 sysadminctl[2349:18595] Operation is not permitted without secure token unlock.

Grat stand account admin rights: same,

Any idea?
0 Kudos
1 REPLY 1

rhoward
Contributor

‎04-24-2023 09:36 AM - edited ‎04-24-2023 09:37 AM

In order to give your users secure token rights it will either require user interaction or for you to know their passwords. We use something like this with user interaction:

 

 

#!/bin/bash

###############################################################################################################
## This Script will enable the secure Token on LDAP Accounts on Macs with an account that has a secure token ##
## This will only work if the LDAP User is logged in, and requires user interaction to enter their password  ##
###############################################################################################################


loggedInUser=$(stat -f %Su /dev/console)
UserPWD="$(osascript -e 'Tell application "System Events" to display dialog "Please Enter your Password:" default answer "" with hidden answer' -e 'text returned of result' 2>/dev/null)"



sysadminctl -adminUser YOURADMINUSER -adminPassword YOURADMINSUSERPASSWORD -secureTokenOn $loggedInUser -password $UserPWD

 

 

0 Kudos