Posted on 02-18-2020 12:30 AM
I am encountering the following problem:
Wenn enrolling a MacBook Pro (10.15.3) using the pre-stage enrollment I end up with 2 users:
501 - jamfAdmin (Configured in the pre-stage enrollment payload)
502 - local Admin (Configured Manually during the Setup)
The problem is that neither of these users has a secure token.
Trying to grant my local admin a secure token, does not work either as the local admin does not have a secure token unlock.
According to the following blog post: https://travellingtechguy.eu/macos-catalina-secure-tokens-part-1-local-accounts/
My created user should get a secure token.
Is anybody else experiencing the same problem or has some insight, as to why this issue is occurring.
Solved! Go to Solution.
Posted on 02-21-2020 08:29 AM
Hi, thank you all for helping me out. I am pretty sure, that I was able to isolate the problem.
It is as follows:
If you wipe the mac and perform an installation of Catalina using the network recovery, everything works, a user is created with a secure token, all is fine. (Prefill Primary account information had no effect, I got the same behaviour with it enabled and disabled)
Now since I was testing the prestage enrollment I created a time machine snapshot during the initial setup, before selecting the setup language. I then used this snapshot as a restore point, so I wouldn't always have to reinstall the whole OS just to test the process.
After extensive testing (Hence why it took me so long to respond, sorry) I can consistently reproduce the behaviour of having no user with a secure Token, only when restoring from the Time Machine snapshot.
My conclusion is, that when restoring this time machine backup, something gets messed up in the way users are given a secure token.
Another side effect, often (not always) the user creation would come back with an error when creating the user, the fix for the side effect was to perform an SCM and PRAM and NVRAM reset, then the user creation would work.
Posted on 02-18-2020 12:49 AM
Hi Zurbrügg
have you tried skipping "Account Settings" Pane in PreStage Enrollment? JamfAdmin will be created anyway. I had a similiar problem with Jamfcloud 10.18.
Posted on 02-18-2020 01:02 AM
Hi Karsten Yes, I have tried to "Skip Account Creation". This then puts me in the situation were the JamfAdmin account is created and no other account. The problem is, that I don't have access to the JamfAdmin account, as we configured the management account to be created with a random and unique password. So, unfortunately, this is not an option :(
Posted on 02-18-2020 05:58 AM
I have seen situations where you get a "false positive", or is it a "false negative". Basically where no users appear to have a token, but when you attempt to enable FV while logged into the account created during Setup Assistant, that user actually does get a token granted. You should be able to use this command diskutil apfs listCryptoUsers /
to determine if any users are enabled as crypto users. This should allow the user to be enabled for FV which grants the user a token.
I found that command, along with this one sudo fdesetup list -extended
to be extremely useful in our troubleshooting efforts. Both of those came from this article: Apple releases long-awaited SecureToken documentation
Posted on 02-18-2020 01:39 PM
Hi, do you have pre-fill primary account information ticked, if so tick it off.
Posted on 02-19-2020 07:23 AM
What account does have a Secure Token? Run the commands below to find out:
List accounts by Generated UID: dscl . list /Users GeneratedUID
List users with Secure Token (use UID from above to identify): diskutil apfs listcryptousers /
This might help you narrow down the problem.
Posted on 02-21-2020 08:29 AM
Hi, thank you all for helping me out. I am pretty sure, that I was able to isolate the problem.
It is as follows:
If you wipe the mac and perform an installation of Catalina using the network recovery, everything works, a user is created with a secure token, all is fine. (Prefill Primary account information had no effect, I got the same behaviour with it enabled and disabled)
Now since I was testing the prestage enrollment I created a time machine snapshot during the initial setup, before selecting the setup language. I then used this snapshot as a restore point, so I wouldn't always have to reinstall the whole OS just to test the process.
After extensive testing (Hence why it took me so long to respond, sorry) I can consistently reproduce the behaviour of having no user with a secure Token, only when restoring from the Time Machine snapshot.
My conclusion is, that when restoring this time machine backup, something gets messed up in the way users are given a secure token.
Another side effect, often (not always) the user creation would come back with an error when creating the user, the fix for the side effect was to perform an SCM and PRAM and NVRAM reset, then the user creation would work.
Posted on 02-21-2020 08:39 AM
For completeness, here is the output of all the commands you guys asked me to run:
(Thanks again for the help)
roro@MacBook-Pro ~ % diskutil apfs listCryptoUsers /
Cryptographic users for disk1s5 (2 found)
|
+-- 8E36EBE6-F590-46F2-B472-57182A7AE05C
| Type: Local Open Directory User
|
+-- 2457711A-523C-4604-B75A-F48A571D5036
Type: MDM Bootstrap Token External Key
roro@MacBook-Pro ~ % sudo fdesetup list -extended
ESCROW UUID TYPE USER
8E36EBE6-F590-46F2-B472-57182A7AE05C Unknown User
2457711A-523C-4604-B75A-F48A571D5036 Bootstrap Token
roro@MacBook-Pro ~ % dscl . list /Users GeneratedUID
_amavisd FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000053
_analyticsd FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000107
…
daemon FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000001
jamf 618AB5E4-5A2B-4BF4-8E95-63C69EDE1DD7
nobody FFFFEEEE-DDDD-CCCC-BBBB-AAAAFFFFFFFE
root FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000
roro 8C509048-2940-49B0-9763-C28C5CAA7C7F
roro@MacBook-Pro ~ % diskutil apfs listcryptousers /
Cryptographic users for disk1s5 (2 found)
|
+-- 8E36EBE6-F590-46F2-B472-57182A7AE05C
| Type: Local Open Directory User
|
+-- 2457711A-523C-4604-B75A-F48A571D5036
Type: MDM Bootstrap Token External Key
roro@MacBook-Pro ~ % dscl . list /Users GeneratedUID | grep 8E36EBE6-F590-46F2-B472-57182A7AE05C
roro@MacBook-Pro ~ % dscl . list /Users GeneratedUID | grep 2457711A-523C-4604-B75A-F48A571D5036
roro@MacBook-Pro ~ %