@ChrisTech wrote:
I'm trying to script the removal and re-adding of SecureTokens.
The answer is simple, you don't.
The long and painful answer, you don't.
When you use terminal to do something, it uses something called a bootstrap token as root when you use sudo. The entire purpose of Secure Tokens is to dis-empower root. You cannot modify a Secure Token with a Bootstrap token.
The commands you are looking for are below, and there are tons of different ways to write this out, but the workflow is all the same. You need both the user's password (which is not known), and the username and password of another Secure Token holding account.
sysadminctl interactive -secureTokenOff [USERNAME] -password -
sysadminctl interactive -secureTokenOn [USERNAME] -password -
-Or-
sysadminctl -secureTokenOn [USERNAME] -password - -adminUser [ADMIN USERNAME] -adminPassword -
-Or-
sysadminctl interactive -secureTokenOn [USERNAME] -password [UserPassWord]
The passwords must be put in the script, or macOS (specially the sysadminctl binary) will prompt for them. If you put the passwords in the script, they are unencrypted and in clear text. The behavior is the same if deployed by Jamf.
Prerequisites:
- You must have a local It account on the device that has MUST have a Secure Token.
- You must know the user's password (in your scenario the user's password is unknown so none of this will work).
TL;DR:
I suggest spending time in the sysadminctl man page, and on Apples page reading up on Secure Tokens, as well as old Jamf Nation posts as this is a fairly common question. Admittedly Apples documentation is garbage on Secure Tokens but suffice it to say you cannot modify Secure Token with a script and you need to reset passwords the way Apple tells you to which has no interested given to what you want to do with Active Directory or any IDP.
https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web
