Give secure token to logged in user

Dylan_YYC
Contributor III

Hey everyone!
I want to roll out FileVault to all my users, however since they are AD users most of them do not have a secure token. One saving grace is all of our computers do have an account that does have a secure token called ITsystem. Is there a way to use that account to enable the currently logged in user secure token access without prompting the user? I have found another script that seems to create an admin account, give secure token, then asks the user to authenticate, then it enables FV. I dont want to do all that, just give the current user a secure token then ill handle FV with Jamf.

Thanks!

8 REPLIES 8

burdett
Contributor II

You may want to look at the post
https://www.jamf.com/jamf-nation/discussions/27209/script-to-assign-a-secure-token-and-add-user-to-fv2
and / or https://github.com/TravellingTechGuy/manageSecureTokens/blob/master/manageSecureTokens.sh

the down side of these is, putting admin credentials in a script, so I recommend Encrypt Admin credentials passed via script in Jamf Pro: https://github.com/jamfit/Encrypted-Script-Parameters/blob/master/EncryptedStrings_Bash.sh

Dylan_YYC
Contributor III

I looked at that but it asks for the user to enter information and it does a lot more then just get the user a secure token

mm2270
Legendary Contributor III

What you're asking for isn't possible. To grant a SecureToken to an account requires prompting to enter the password for that account or knowing the password and adding it to the shell command that tries to grant the token. IOW, you can't give a secure token to an account silently without having the password for the account in the first place. Apple designed it this way on purpose since those tokens allow accounts to be added to the list of FV2 enabled users, which in turn gives that account access to log in to an encrypted machine.

You will have to prompt users for their password most likely, as I'm guessing you don't know the password of all your AD users.

daveyboy
New Contributor II

mm2270 is correct, you cannot provide a Secure Token to another user without utilizing the credentials from another account that has a Secure Token. If you have a DEP environment w/o AD the first account created will have the Secure Token. Our environment requires that our Macs bind to AD. The mobile accounts also have their passwords changed often meaning they have to update their FileVault password on the machine. They do this from another machine often so I set up a self help policy in Self-Service to do this. It does require that you have an admin account with a secure token.

https://github.com/daveyboymath/Jamf/blob/MacOS/PassSecureToken.sh

user-OHTrLNQCsZ
New Contributor III

Hi Dylan_YYC

Can you share what the resolution was here?

daveyboy
New Contributor II

Hi user-OHTrLNQCsZ,

To pass a secure token you will need to utilize an account that already has a secure token. The only other alternative is when you are first setting up the Mac. The account you make with the setup wizard will have a secure token automatically.

upkeepjc
New Contributor

@daveyboy If I have an admin account that has a secure token, what would be the best way to pass that on to the other user account that doesn't? Would you suggest using this script: https://github.com/daveyboymath/Jamf/blob/MacOS/PassSecureToken.sh

daveyboy
New Contributor II

Hi Upkeepjc,

That will work just fine if you have the ability to place it into your JSS and change the admin variables. You can also remote into the user's machine and run this command in the terminal. It will have an interactive GUI (sort of) so you won't need to enter the password into the command.

sudo sysadminctl interactive -secureTokenOn [usernameOfEndUser] -password -