Secure Token for managed administrator account

MacJunior
Contributor II

Hey all, 

 

I want your input on our current provisioning workflow, cuz I think it needs to be adjusted somehow 

 

Through prestage enrollment, we create our managed administrator account and choose the type of local user account as "Admin" .. the end-user account gets a secure token but not our managed administrator's one cuz we don't login with it as a first account. We use a script that the end user has to run from Self Service to grant the secure token to our managed administrator account .

 

What do you think? is there something we can do to skip running that script from self service and grant a securetoken to our managed administrator account?

 

Any tips are very appreciated

7 REPLIES 7

MacJunior
Contributor II

Also why would you guys create a managed administrator account? for us simply to reset the user's password in case they forget it but definitely we can do that using FV recovery key escrowed to MDM so any other reasons pushing you  to create that managed account? 

 

junjishimazaki
Valued Contributor

Each org has its own workflow and reason for setting up a Mac with a local admin account. But, in my opinion, I think it's a good idea to have an admin account. Just like in Windows, you always need a local admin account in case you need to perform a task on that machine without the need of the user's account. 

Jason33
Contributor III

I dont worry about having the local admin account be securetoken enabled.  As long as the Recovery Key is escrowed to Jamf, there's a way to log in to the machine.  Are you allowing your users to remain as Admin's on the device, or are you temporarily promoting them to admin when they run your policy to grant a securetoken to your local admin account?  I previously was doing this, but felt it was no longer needed since we are escrowing the recovery key to Jamf Pro.

MacJunior
Contributor II

@junjishimazaki I totally respect that each company has its own workflow but I still don't see the real need of that account.

Do you rotate the password of that local admin account? if yes then how?

@Jason33 their accounts are already admin ! I know from security perspective maybe it's better to keep them standard and use a tool like privileges  but yeah not sure if that will be so annoying for them. 

what's your experience about that? do you have any issues by having their accounts standard? 

 

Fluffy
Contributor III

User education and trust may be the biggest factors on whether users have standard or administrator accounts, in my opinion.

In a K-12 school, students will always have standard accounts, so a managed admin account is a given. As for staff, there is a wide range on their knowledge of technology. We grant requests for admin accounts on a case by case basis, but a majority are standard users. User credentials are also not available to us, so an admin account is beneficial when diagnosing issues as well.

I am still learning Mac administrating. This may be due to inexperience, but I don't see the necessity of having the user grant a secure token for the managed admin when the user is also an admin. Does it cause issues when configuring the system as the managed admin?

roman_sammartin
New Contributor II

Are there any resolutions here?

The best I got was to run this one-liner I put together using the information on the official Apple page about this issue. https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web
However, in practice, it only flags that an account has the secure token...it doesn't actually give the token to the account:
sudo dscl . -append /Users/$4 AuthenticationAuthority ";SecureToken;"

So, if anything, this one-liner makes the situation worse by setting a false-positive flag.

 


I appreciate the concerns about why this is needed...but it's unhelpful to challenge another admin's need for something in their unique environment. You don't know the context. Here is our reason to have local admins with the Secure Token enabled:

We use SmartCard logins for all our devices. These cards require you to plug them into the device + a pin for authentication. The pin is not the same as the local account password. All of our end-users are also Admins on their machines and are SecureToken enabled through the standard account creation process. Because end users don't use their local passwords very often, it's relatively common for them to forget the password. Local passwords are sometimes needed for updates or to pair a new smart card after it has been expired. Since we are mostly WFH these days, its much easier and more reliable to have a separate admin account that we can help them log into and reset their password from.

The alternative requires a password reset through the passwordreset tool in a macOS recovery terminal. Additionally, we have unique firmware passwords on all our intel macs or recovery lock passwords for Apple Silicon macs. Walking an end-user through all these steps to get to a recovery OS over the phone is not a trivial thing to do. Giving our local admin the secure token means we don't have to go through the above rodeo which takes 30-60 minutes when someone forgets their password, depending on the end-user's savviness. This happens 1-2 times per week, which translates to dozens of hours spent resetting passwords each year.

MacJunior
Contributor II

Hey Roman,

 

I used to use this script in Self Service to grant secure token to our managed administrator account, it will ask for end user password 

https://github.com/TravellingTechGuy/manageSecureTokens/blob/master/manageSecureTokens.sh

Hope that would help.