Having an issue with Filevault and our local admins getting secure token access. So I have a config profile set to enforce Filevault enablement. The user logs in, they enable filevault, all good to go. Problem is that the local admin we create does not have a secure token in this instance, and it's necessary the local admin has one.
What I could do is login with the local admin first, enable filevault, but then I'd have to give the user local admin creds to login to the device prior to JamfConnect screen. That is undesirable.
How can I ensure the local admin gets a secure token without actually logging in as the local admin? I know that the sysadminctl command can do it, but that would require someone with a secure token to authorize it (that's not feasible for obvious reasons).
I would recommend this blog post:
In short, there is no easy way to do what you are asking. So, the question then becomes why do you need your local admin to have a Secure Token? What are you trying to accomplish that requires your local admin to have a secure token?
For example, we use Automox for updates. To enable automox, it requires an account with a secure token to authorize.
Also, it would just be nice if our local admins have absolute, full access on the machine. Instead of leaning on users to approve things while we troubleshoot, if needed.
I'll check the article though, thanks.
You hit the nail on the head; the only way for a user to gain a secure token is either through a login to the endpoint or an existing user with a token to grant it. Fortunately, there are scripts that can be leveraged for the latter which avoids the standard user needing admin rights to enable your local admin account for a secure token.
As a general rule I recommend against having a generic management account having a secure token, but you know your situation/needs.
Thanks. I ended up talking to Automox (the main reason we need the secure token) and they have a workaround for situations where only the local user has one, so I think I got this solved without requiring a secure token on the admin account.
I still don't like this though, it seems strange that the local user (standard or admin either way) is the gatekeeper for things, rather than simply letting admins manage the device 100%, but hey I don't work for Apple and apparently they know better than I do lol. Thanks.
Thanks for your post.
To confirm, there is no way to generate a securetoken for an account without providing the password of an existing account that has one ?
From what I've read, sysadminctl requires the password of an existing account which is the part that drives me nuts. Trying to find a way to do this via JAMF without having to provide a password.
Though specifically for Filevault enablement, there is a script that Jamf shared with me that will enable filevault under the running user. If that would help, but it doesn't grant local admin a secure token.