Secure Token for a local admin

AlexSoo
New Contributor

Hi all,

Having an issue with Filevault and our local admins getting secure token access. So I have a config profile set to enforce Filevault enablement. The user logs in, they enable filevault, all good to go. Problem is that the local admin we create does not have a secure token in this instance, and it's necessary the local admin has one.

What I could do is login with the local admin first, enable filevault, but then I'd have to give the user local admin creds to login to the device prior to JamfConnect screen. That is undesirable.

How can I ensure the local admin gets a secure token without actually logging in as the local admin? I know that the sysadminctl command can do it, but that would require someone with a secure token to authorize it (that's not feasible for obvious reasons).

11 REPLIES 11

Tribruin
Valued Contributor II

I would recommend this blog post:

Additional admin with SecureToken, or not? - Travelling Tech Guy

In short, there is no easy way to do what you are asking. So, the question then becomes why do you need your local admin to have a Secure Token? What are you trying to accomplish that requires your local admin to have a secure token?

For example, we use Automox for updates. To enable automox, it requires an account with a secure token to authorize.
Also, it would just be nice if our local admins have absolute, full access on the machine. Instead of leaning on users to approve things while we troubleshoot, if needed.

I'll check the article though, thanks.

cdev
Contributor III

You hit the nail on the head; the only way for a user to gain a secure token is either through a login to the endpoint or an existing user with a token to grant it. Fortunately, there are scripts that can be leveraged for the latter which avoids the standard user needing admin rights to enable your local admin account for a secure token.

 

As a general rule I recommend against having a generic management account having a secure token, but you know your situation/needs.

AlexSoo
New Contributor

Thanks. I ended up talking to Automox (the main reason we need the secure token) and they have a workaround for situations where only the local user has one, so I think I got this solved without requiring a secure token on the admin account.
I still don't like this though, it seems strange that the local user (standard or admin either way) is the gatekeeper for things, rather than simply letting admins manage the device 100%, but hey I don't work for Apple and apparently they know better than I do lol. Thanks.

dmarin
New Contributor

Thanks for your post. 

To confirm, there is no way to generate a securetoken for an account without providing the password of an existing account that has one ? 

From what I've read, sysadminctl requires the password of an existing account which is the part that drives me nuts. Trying to find a way to do this via JAMF without having to provide a password. 

CPHP
New Contributor

Did this get solved for you, if so how? We're trying to do this for our already deployed M1 macs with as little user intervention as possible. 

AlexSoo
New Contributor

There is no solution, you need to login to the mac to get a token. Meaning, local admins won't receive on natively.

CPHP
New Contributor

How did you work around it in your post above? Did you log the admin account into all of your mac deployments?

AlexSoo
New Contributor

We just dont have secure tokens for our local admins. Only the user does. It's a pain, but welcome to the mac admin world I guess.

AlexSoo
New Contributor

Though specifically for Filevault enablement, there is a script that Jamf shared with me that will enable filevault under the running user. If that would help, but it doesn't grant local admin a secure token.

Eskobar
Contributor

Only users that have logged in to mac get a secure token.Only admins with a secure token, can create new tokens with terminal.