a week ago
I'm trying to script the removal and re-adding of SecureTokens. We have run into an issue where the users have changed their passwords outside of macOS and now the accounts with SecureTokens are not able to install macOS updates.
Can this be done, anyone have any examples?
When I try to do it manually, I get a
Operation is not permitted without secure token unlock.
a week ago - last edited a week ago
@ChrisTech wrote:
I'm trying to script the removal and re-adding of SecureTokens.
The answer is simple, you don't.
The long and painful answer, you don't.
When you use terminal to do something, it uses something called a bootstrap token as root when you use sudo. The entire purpose of Secure Tokens is to dis-empower root. You cannot modify a Secure Token with a Bootstrap token.
The commands you are looking for are below, and there are tons of different ways to write this out, but the workflow is all the same. You need both the user's password (which is not known), and the username and password of another Secure Token holding account.
sysadminctl interactive -secureTokenOff [USERNAME] -password -
sysadminctl interactive -secureTokenOn [USERNAME] -password -
-Or-
sysadminctl -secureTokenOn [USERNAME] -password - -adminUser [ADMIN USERNAME] -adminPassword -
-Or-
sysadminctl interactive -secureTokenOn [USERNAME] -password [UserPassWord]
The passwords must be put in the script, or macOS (specially the sysadminctl binary) will prompt for them. If you put the passwords in the script, they are unencrypted and in clear text. The behavior is the same if deployed by Jamf.
.
Prerequisites:
TL;DR:
I suggest spending time in the sysadminctl man page, and on Apples page reading up on Secure Tokens, as well as old Jamf Nation posts as this is a fairly common question. Admittedly Apples documentation is garbage on Secure Tokens but suffice it to say you cannot modify Secure Token with a script and you need to reset passwords the way Apple tells you to which has no interested given to what you want to do with Active Directory or any IDP.
https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web
a week ago
What we are seeing primarily are users are unable to reset fingerprints and install system updates. The users in question already have SecureTokens. Is it a matter of removing them from FileVault, removing the SecureToken and then re-adding the SecureToken and FileVault?