Jamf Nation Community

Hello,
Thank you for your reply,

Indeed, I already read this article (very interesting).
Today I have positions of which the only Secure Token account existing on MacOS 10.13.4+ is le Jamf management account.

The rest are AD accounts, so do not have a Secure Token.
As I understand it, Enable Filevault for the Account Management does not work or is not recommended.

Therefore, how can I do without having to physically switch to all computers to create another local account ?

It seems very complicated to me ...

Thanks

Does th emanagement account have a secure token??
if you run: sysadminctl -secureTokenStatus username_goes_here

And it indeed does have a secure token, I can help you with a script that will enable filevault without administrartor intervention?

Hello @kerouak ak

Thank you for taking the time to respond.
Yes, I confirm that my Jamf management account is Secure Token (I had created an extension attribute to put Secure Token accounts on 10.13.4+ computers).

I am interested in your solution if it does not take you too much time to share your script.

Thank you,

Thanks for your help and thanks @kerouak, your script works very well.

Now I just have to validate with my hierarchy the fact of temporarily having the admin account password in clear in order to set up this workflow.
But if there are no other solutions, I think we will have no choice.

Thanks

@glpi-ios can you post the script ? You do not have to do password in clear text - you can use encrypted strings - https://github.com/jamf/Encrypted-Script-Parameters

@bwiessner it's not in the script, it's in the JSS

@bwiessner The script belongs to @kerouak , I prefer that it is him who makes public the script if it considers necessary.

In fact, the script generates a .plist file in /private/tmp for a few seconds which contains in clear the admin login and password