I've been struggling a bit making sense and creating a workflow around the secure token change and user creation/FV2 enabling. The workflow in my environment traditionally uses a script using dscl commands or the createuser.py to create our local admin account. The local admin account initiates FV2, then AD users log in and we enable them for FV2. This workflow is now extinct.
I'm creating a dummy account on the computer, then on enrollment a script runs using the sysadminctl commands to create my local account which prompts for gui authentication from my dummy account. This grants my local admin account a secure token and the ability to manage FV2. I can then delete the dummy account from the machine.
I created another script to Self Service that assigns a secure token to a user and enables them to unlock FV2 utilizing some user input.
I'm a very much a novice at bash, so my scripts are probably not the best, but with very little posted about secure tokens I figured I'd share and maybe help a few folks.
The script below creates my local admin account and enables it for ARD. A gui authentication window will pop up and you will have to enter the credentials of a user with a secure token for this to work correctly.
#!/bin/bash
#Created by Dennis Nardi on 2/20/18
acct='YOUR LOCAL ADMIN'
acctname='LONG NAME OF LOCAL ADMIN'
pass=$LOCAL ADMIN PASSWORD
pict="/PATH/TO/PICTURE.EXT"
# Create Admin Account
sudo sysadminctl interactive -addUser $acct -password $pass -admin -UID 81 -fullName "$acctname" -hint love -picture "$pict"
if [[ $createacct == *error* ]]; then
echo "Error: Unable to create $acct account: $createacct"
exit 1
else
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users $acct -access -on -privs -all -allowAccessFor -specifiedUsers -users $acct -clientopts -setmenuextra -menuextra yes -quiet
printf "$createacct Done! Created $acctname in /Users/$acct.
"
fi
exit
The script below is what I have in Self Service and run to give a user a secure token and enable them for FV2. I have to do this because AD users are not automatically given secure tokens. I intended to make this script only runnable from my local admin account, but it appears to work under any account as long as your local admin account with a secure token credentials are entered when gui authentication is required. This script pops up and prompts for the username and password.
#!/bin/sh
# Enable User For FileVault.sh
#
#
# Created by Dennis Nardi on 2/20/18.
#
curUser=$(/usr/bin/stat -f%Su /dev/console)
curPass=$password for admin account with secure token
## Get the desired user's account
echo "Prompting ${curUser} for the desired user to enable for FV2."
Newuser="$(/usr/bin/osascript -e 'Tell current application to display dialog "Please enter the desired user to enable for FV2:" default answer "" with title "Window Title" with text buttons {"Ok"} default button 1 ' -e 'text returned of result')"
## Get the desired user's password
echo "Prompting ${curUser} for the password for desired user to enable for FV2."
NewuserPass="$(/usr/bin/osascript -e 'Tell current application to display dialog "Please enter the password for the desired user:" default answer "" with title "Window Title" with text buttons {"Ok"} default button 1 with hidden answer' -e 'text returned of result')"
## Sets new user with a secure token so it can be enabled for FV2. This requires GUI authentication from the local account but can be run from any account as if secure token admin credentials are entered
sudo sysadminctl interactive -secureTokenOn $Newuser -password $NewuserPass
## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output
expect -c "
log_user 0
spawn fdesetup add -usertoadd $Newuser
expect "Enter the user name:"
send "${curUser}"
expect "Enter the password for user '${curUser}':"
send "${curPass}"
expect "Enter the password for the added user '$Newuser':"
send "${NewuserPass}"
log_user 1
expect eof
"