Jamf Nation Community

ajanicke · ‎10-11-2023

We seem to be running into an issue with Secure Tokens. Searching has made me realize this is something most people are having difficulty with but it's usually with the Admin account not having a token but ours is sometimes the other way around.

Long story short a second admin account that was added during the enrollment stage was getting the token then other users logging into the device would not get a token, now really showing itself with updates and the users getting a "You need to be an owner" error.

So I created a script to run from Self Service that just prompts the user for their password then runs the command and passes the credentials of the Admin with the secure token. However, it always errors out saying the users password is incorrect but when I test and run the same thing from the terminal on the test device it works fine. Is there something I'm missing here? Does apple do something to restrict this kind of access from a script?

#!/bin/bash

# Prompt the user for their username and password using AppleScript
osascript <<EOD
set userPass to text returned of (display dialog "Enter your password:" default answer "" with hidden answer)
EOD

# Run sysadminctl
sysadminctl -secureTokenOn $3 -password $userPass -adminUser $4 -adminPassword $5

ajanicke · ‎10-12-2023

I am severely disappointed in myself. For some reason I though in the OSA script the userPass would be honored as a variable in the script.. it's not this was a simple fix

#!/bin/bash

# Prompt the user for their username and password using AppleScript and store the result in userPass
userPass=$(osascript <<EOD
set userPass to text returned of (display dialog "Enter your password:" default answer "" with hidden answer)
EOD)

# Run sysadminctl
sysadminctl -adminUser $4 -adminPassword $5 -secureTokenOn $3 -password $userPass

View solution in original post

McAwesome · ‎10-11-2023

Is the Bootstrap Token escrowed to Jamf? If it is, all the user needs to do is sign in to the machine with an internet connection. The Bootstrap Token will handle the rest.

ajanicke · ‎10-11-2023

I get Yes response to profiles status -type bootstraptoken on the ones that currently have the token enabled. I was hoping to test on a borked device today but all the tickets came in at once. Hope to do some testing tomorrow.

ajanicke · ‎10-12-2023

I tried on a device that the user does not have a secure token and it's showing DISABLED for the token and NO to the token being escrowed.

dennisnardi · ‎10-11-2023

I think your formatting might be a bit off? Below is what I've used for similar situations

userName=$(/usr/bin/stat -f%Su /dev/console)

## Get the logged in user's password via a prompt
echo "Prompting ${userName} for their login password."
userPass=`su \- "${userName}" -c /usr/bin/osascript <<EOT
tell application "System Events"
    activate
set userPass to text returned of (display dialog "Please Input Your Login Password to Fix Account Issues" default answer "" with icon 2 with hidden answer)
end tell
EOT`

echo "Adding user to FileVault and Granting SecureToken"

## This enables a SecureToken for the user
sudo sysadminctl -adminUser $adminUser -adminPassword $adminPassword -secureTokenOn $userName -password $userPass

You just need to add your $adminUser and $adminPassword variables.

ajanicke · ‎10-12-2023

I am severely disappointed in myself. For some reason I though in the OSA script the userPass would be honored as a variable in the script.. it's not this was a simple fix

#!/bin/bash

# Prompt the user for their username and password using AppleScript and store the result in userPass
userPass=$(osascript <<EOD
set userPass to text returned of (display dialog "Enter your password:" default answer "" with hidden answer)
EOD)

# Run sysadminctl
sysadminctl -adminUser $4 -adminPassword $5 -secureTokenOn $3 -password $userPass

Jamf Nation Community

Grant Secure Token to end user