Posted on 08-22-2024 08:13 AM
We are having issues where Secure Token is not being assigned to the first user who logs in. (I THINK this started in mid-July, but am no 100% sure) In fact, according to an extension attribute we use to see who has Secure Token, no one has Secure Token on the Macs in question. This has caused endless issues including being unable to install macOS updates. This appears to be happening only on our faculty/staff machines, which are Filevault enabled. It does not appear to happen on our lab machines, with do not have Filevault enabled. I can't think of any changes we made in mid-July that would cause this issue.
Our Macs are bound to Active Directory (yes, I know, that's not recommended, but due to security software we use such as Admin by Request, we must do so.) The end user is the first person to log into the Mac. Our users are not admins on their machines, but can get admin privileges temporarily using Admin By Request.
Most of the Macs whose users don't have SecureToken are running macOS 14 (Sonoma,) but we have a couple who are running macOS 13 (Ventura.).
If anyone has an idea as to why this is happening, I'd love to hear your thoughts.
Posted on 08-22-2024 08:18 AM
Also, if I run "sysadminctl -secureTokenStatus (primary user's username)" on a Mac that has no users with secure token (according to our extension attribute,) I get the message "Secure token is DISABLED for user (username)."
Posted on 08-23-2024 09:34 AM
We ran into this last year. Sometimes our Enrollment created user accounts would not be given a Secure Token.
You can create a bootstrap token using the profiles command line tool.
These are some of the options we've used:
Could not find a pattern for why this was happening but for the odd time it does this helped.
Posted on 08-29-2024 05:48 AM
Maybe this one helps:
https://github.com/AirBookMac/IssueSecureToken
The User has to be local admin before running this
a month ago
We're currently testing a few changes to our workflow to see if it makes a difference - so far, it seems to be successful. Here's what we changed:
1. In the config profile that enables FileVault, we've set it to activate at logout instead of at login.
2. On first login, while the Mac is still at the helpdesk, we've started asking our clients to temporarily elevate to admin using Admin By Request.
I'm not sure if either of these (or both) are helping, but we're keeping an eye on things. So far, the last three Macs to be refreshed have gotten both the Bootstrap token escrowed as well as the SecureToken assigned to the first person to log in.