Local accounts created using policy is not working

sayr01
New Contributor II

Hi Everyone,

Local accounts created using the local account policy does not seem to work on Catalina.  the policy runs and creates the account fine however it does not show on login screen and just shakes if you try login using other.

has anyone else come across this issue?

 

thanks   

 

1 REPLY 1

Tribruin
Valued Contributor
Valued Contributor

It sounds like you are trying to login at the FileVault screen. Account created by Jamf are not granted a Secure Token. Until they have been grated a Secure Token, they can not unlock the drive. 

To give a Secure Token to an account you need to do one of three things:

  • The first account created at Setup is automatically granted a secure token. (Assuming you don't skip account creation as part of your enrollment Prestage)
  • Any account authenticated at the macOS login screen (not FV login screen) will be granted a Secure Token on first login. If you created an account via Jamf, you would have to log out of the current user and login as the new user to get the Secure Token. (Note: This also works for accounts created by alternative login screens, like Jamf Connect.)  This does require the computer to have a bootstrap token escrowed to Jamf. But that is normally the case now with Big Sur and Monterey. 
  • You can use the sysadminctl command line command to give a secure token, but you must use the account of an existing secure token holder to do that. There are scripts that will prompt the user for their password and then use that to run the command. 

Unfortunately, there is no easy way without some user involvement. 

I will raise this question. Why do you need an account created by Jamf to have an ST? Most time I have seen accounts created by Jamf is for a "backdoor" tech account. It is considered bad security to give a general use account a Secure Token (unless you are using something like LAPS to have individual passwords for each computer). If that password was ever compromised, your whole fleet would be accessible to a bad actor.