M1 SecureToken Assistance

Contributor III

Hello Team,

As the tittle states, I am having a really big problem with getting a secure token for any of the accounts on the machine. Whats happening is after Enrollment the first account that logs into the machine is a Mobile, Active Directory account. On the Intel machines usually this account has a secure token and it is able to Enable FileVault at logout. But for some reason on the M1 machines the game changes after enrollment NONE of the accounts are getting secure tokens and I am unable to Enable FileVault. This has been a giant PITA for me and could use the someone's expertise on the matter I have a ticket open with support for a best practice scenario but figured the JAMF Nation might have a possible solution. I have read all the TravellingTechGuy articles and most of all that testing was done on Intel machines. Reaching out to "TravellingTechGuy" he said he was going to test it and get back to me. Does anyone have any experience with this situation that could assist me on a successful M1 Enrollment.



A couple thoughts.  1.  The first account that logs in should be an admin account.   My workflow has us creating a local admin account.  Log in with that local account and it gets a secure token.  Then any other admin accounts gets a secure token.  Alternatively, you can first logon as the jamf managed account.

2.  Be careful how you wipe and reload the Mac.  In my experience, if I just erase the drive, I often do not get secure tokens.   I've duplicated this more than once.  Click on the drive and hit the minus button and delete the volume.  This will reactivate the Mac.   When I do it this way, I don't have secure token issues.


3.  I'm assuming this is the latest JaMF such as JAMF cloud because the earlier versions don't seem to have this ability or it was added in later versions

Contributor III

Thanks for the wiping part I had no idea the M1's need to be wiped this way.


We don't login with the admin account because the first account that should login to the machine should be the Mobile AD account which I have a script that at login will then promote the user to Mobile, Admin. 

Valued Contributor

I also make a local admin account, which is the first account to be logged in to on the Mac. The first account also needs to be set to have an ID number of 501, 502, 503. Your normal first set up admin account on a home Mac will be 501. Although your Jamf management account might take that ID. If you hide the account by giving it an ID in the 400's it will not get a secure token at all.

Our process here is to Run through the enrolment, which makes the local Admin account as well. once the Mac is completed with the enrolment process, we log in with our local admin account, and then log out and walk away from the Mac. Jamf will install all of the required Apps, and we are now in control of the master secure token account.

Contributor III

I added a policy to Bind the machine to AD using JAMF let me see if this time around the mobile AD account gets a securetoken.