Secure Token Conundrum

New Contributor

I have run into a roadblock with ST's and am looking for any possible solution. We are a k12 institution managing 1200 Macs. Our setup workflow consists of creating an Admin Management account and a Student Standard account on startup. The Standard student account it the one we are logging into and hiding the Admin user. What this basically means in Big Sur is that the Standard user is getting a Secure Token but the Local Admin is not getting a secure Token. Since the Standard user cannot convert the Admin to have a secure token I feel I am stuck. I have had to update Big Sur one at a time already this summer on 300 machines because startosinstall would not run due to the lack of ST.

The only option I have come up with is to initially load my student user as an Admin during setup and run a 1 time policy in Self Service that enables ST on the Admin, (because I know the default password for the Student account before they change it), then changes the Student back to a Standard user and restarts. This is tedious but works for new machine initial setup, but I cannot come up with a way to engage ST on my currently deployed machines without manually having each student validate the restart which is not an option. (Are your eyes going crossed yet?)

Does anyone have any suggestions or thoughts that could help me resolve this?


Valued Contributor II

Are you on Big Sur? If so, after you setup the computer, if you login (or authenticate in some other way) as the local admin, you should get a Secure Token granted to the local admin. So, in your workflow, after you login as the student, log out and log back in as the local admin (or even, unlock something on the System Preferences that require an Administrator password.)

Take a look at this link: Filevault, Secure Token, and Bootstrap

Release Candidate Programs Tester

We run into this problem and the solution currently is when we need the local admin physically it’ll generate a boot strap token from the MDM on the login once connected to internet

Valued Contributor

We have a Jamf account, created by Jamf for Jamf admin. It has a secure token, and if you know its password then you can use it to create the token for the other accounts. But beware it is a royal pain in the rear to fix, I have not found a way to automate it fully, and therefore have to manually log in as the Jamf user in the GUI and then in Terminal assign the token to the main admin account. It requires authentication in both Terminal and the GUI to complete. Also the Account with the ID of 501 will be given a secure token automatically, it is normally the first account logging in and is usually an admin account. I had my accounts hidden by giving them a 401 and up ID, this prevented the token from assigning.
Our policy here is the main admin account is the first one to log in on the Mac, and will therefore get a token assigned.

Info there on checking and how to assign. In theory one of those methods looks to be automated, if you dont mind sending out the commands. All you need do is elevate the Student account to be in the sudoers list, and it might work for you. And then drop them back out again after. But please test it thoroughly first. I have only done this via the GUI method on a handful of Macs.