- Jamf Nation Community
- Products
- Jamf Pro
- Re: Give secure token to logged in user
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Give secure token to logged in user
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-04-2020 09:33 AM
Hey everyone!
I want to roll out FileVault to all my users, however since they are AD users most of them do not have a secure token. One saving grace is all of our computers do have an account that does have a secure token called ITsystem. Is there a way to use that account to enable the currently logged in user secure token access without prompting the user? I have found another script that seems to create an admin account, give secure token, then asks the user to authenticate, then it enables FV. I dont want to do all that, just give the current user a secure token then ill handle FV with Jamf.
Thanks!
Labels:
- Labels:
-
FileVault 2
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-04-2020 10:45 AM
You may want to look at the post
https://www.jamf.com/jamf-nation/discussions/27209/script-to-assign-a-secure-token-and-add-user-to-fv2
and / or
https://github.com/TravellingTechGuy/manageSecureTokens/blob/master/manageSecureTokens.sh
the down side of these is, putting admin credentials in a script, so I recommend Encrypt Admin credentials passed via script in Jamf Pro: https://github.com/jamfit/Encrypted-Script-Parameters/blob/master/EncryptedStrings_Bash.sh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-04-2020 11:26 AM
I looked at that but it asks for the user to enter information and it does a lot more then just get the user a secure token
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-04-2020 11:57 AM
What you're asking for isn't possible. To grant a SecureToken to an account requires prompting to enter the password for that account or knowing the password and adding it to the shell command that tries to grant the token. IOW, you can't give a secure token to an account silently without having the password for the account in the first place. Apple designed it this way on purpose since those tokens allow accounts to be added to the list of FV2 enabled users, which in turn gives that account access to log in to an encrypted machine.
You will have to prompt users for their password most likely, as I'm guessing you don't know the password of all your AD users.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-19-2020 02:45 PM
mm2270 is correct, you cannot provide a Secure Token to another user without utilizing the credentials from another account that has a Secure Token. If you have a DEP environment w/o AD the first account created will have the Secure Token. Our environment requires that our Macs bind to AD. The mobile accounts also have their passwords changed often meaning they have to update their FileVault password on the machine. They do this from another machine often so I set up a self help policy in Self-Service to do this. It does require that you have an admin account with a secure token.
https://github.com/daveyboymath/Jamf/blob/MacOS/PassSecureToken.sh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-30-2021 02:20 AM
Hi Dylan_YYC
Can you share what the resolution was here?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-30-2021 10:53 AM
Hi user-OHTrLNQCsZ,
To pass a secure token you will need to utilize an account that already has a secure token. The only other alternative is when you are first setting up the Mac. The account you make with the setup wizard will have a secure token automatically.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-04-2021 05:21 PM
@daveyboy If I have an admin account that has a secure token, what would be the best way to pass that on to the other user account that doesn't? Would you suggest using this script: https://github.com/daveyboymath/Jamf/blob/MacOS/PassSecureToken.sh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-05-2021 05:27 PM
Hi Upkeepjc,
That will work just fine if you have the ability to place it into your JSS and change the admin variables. You can also remote into the user's machine and run this command in the terminal. It will have an interactive GUI (sort of) so you won't need to enter the password into the command.
sudo sysadminctl interactive -secureTokenOn [usernameOfEndUser] -password -
