Skip to main content
Question

Prestage Enrollment Admin not getting Secure Token

  • September 16, 2021
  • 5 replies
  • 35 views
A
Forum|alt.badge.img+2

Hey All,

 

Going through our provisioning workflow, I chose to create a managed administrator in the Prestage Enrollment and skipping the account creation. We create a generic standard account via policy on Enrollment for the user to run some Self Service items to complete setup. I'm noticing that the managed administrator account we create does not have a Secure Token for some reason. I'm a little confused because I always thought the first admin account created gets a Secure Token. The weird thing is the standard account we create via policy DOES have a secure token. 

 

Any guidance on this? For reference, this is on an M1 machine that we're testing.

 

Thanks!

    5 replies

    M
    Forum|alt.badge.img+23

    macOS Big Sur had a change in how the first SecureToken and cryptographic user attributes are issued. Admin/standard privileges aren't a differentiator anymore either, but rather the first user to log in or have their password set, (like a user created from a policy.)

    From Apple's docs on SecureToken:


    Starting in macOS 11, setting the initial password for the very first user on the Mac results in that user being granted a secure token. In some workflows, that may not be the desired behavior, as previously, granting the first secure token would have required the user account to log in.

    I assume that in your scenario, the policy with the standard user ran before the Managed Admin logged in, and therefore got the first token. If that's not your intent, you may want to adjust and modify your provisioning workflows.

    If you want that Admin account to receive a SecureToken, you can:

    • Log in with the known standard user that has a token through the Login Window
    • macOS will create and escrow a Bootstrap Token with Jamf Pro
    • Log in with the managed admin account through the Login Window, and it will be granted a SecureToken when macOS requests the Bootstrap Token from Jamf

    Hope this helps!

    MacJunior
    Forum|alt.badge.img+9
    • MacJunior
    • Valued Contributor
    • December 15, 2021

    @mark_buffington in our scenario, we create the managed administrator though Prestage enrollment, the end-user create their account via set up assistant "as an admin account" and login so their local account gets a secure token but not our managed administrator ofc, so we use a script that the user has to run from self service to grant a secure token to our managed admin account ... do you think there is something can be done to make it smoother workflow and grant our admin account a secure token without user interaction?? 

    M
    Forum|alt.badge.img+11
    • mwilkerson
    • Contributor
    • February 17, 2022

    @mark_buffington in our scenario, we create the managed administrator though Prestage enrollment, the end-user create their account via set up assistant "as an admin account" and login so their local account gets a secure token but not our managed administrator ofc, so we use a script that the user has to run from self service to grant a secure token to our managed admin account ... do you think there is something can be done to make it smoother workflow and grant our admin account a secure token without user interaction?? 


    @MacJunior Did you ever get a clear solution for this?

    MacJunior
    Forum|alt.badge.img+9
    • MacJunior
    • Valued Contributor
    • February 18, 2022

    @MacJunior Did you ever get a clear solution for this?


    nah we ended up removing the managed administrator account and have only 1 local admin account "end-user's account" .. from security perspective this is better and if we need to reset the password we can use the PRK.

    D
    Forum|alt.badge.img+6
    • djrory
    • Contributor
    • May 19, 2022

    macOS Big Sur had a change in how the first SecureToken and cryptographic user attributes are issued. Admin/standard privileges aren't a differentiator anymore either, but rather the first user to log in or have their password set, (like a user created from a policy.)

    From Apple's docs on SecureToken:


    Starting in macOS 11, setting the initial password for the very first user on the Mac results in that user being granted a secure token. In some workflows, that may not be the desired behavior, as previously, granting the first secure token would have required the user account to log in.

    I assume that in your scenario, the policy with the standard user ran before the Managed Admin logged in, and therefore got the first token. If that's not your intent, you may want to adjust and modify your provisioning workflows.

    If you want that Admin account to receive a SecureToken, you can:

    • Log in with the known standard user that has a token through the Login Window
    • macOS will create and escrow a Bootstrap Token with Jamf Pro
    • Log in with the managed admin account through the Login Window, and it will be granted a SecureToken when macOS requests the Bootstrap Token from Jamf

    Hope this helps!


    • Log in with the managed admin account through the Login Window, and it will be granted a SecureToken when macOS requests the Bootstrap Token from Jamf

    This step no longer grants the local admin a SecureToken, is there another way we can make sure our Local Admin account gets a securetoken?

    Terms & ConditionsCookie settingsAccessibility statement