Secure Token not getting assigned to first user who logs in

jkarpenske
New Contributor III

We are having issues where Secure Token is not being assigned to the first user who logs in. (I THINK this started in mid-July, but am no 100% sure)   In fact, according to an extension attribute we use to see who has Secure Token, no one has Secure Token on the Macs in question.  This has caused endless issues including  being unable to install macOS updates.  This appears to be happening only on our faculty/staff machines, which are Filevault enabled.  It does not appear to happen on our lab machines, with do not have Filevault enabled.  I can't think of any changes we made in mid-July that would cause this issue.  

Our Macs are bound to Active Directory (yes, I know, that's not recommended, but due to security software we use such as Admin by Request, we must do so.)  The end user is the first person to log into the Mac.  Our users are not admins on their machines, but can get admin privileges temporarily using Admin By Request.  

Most of the Macs whose users don't have SecureToken are running macOS 14 (Sonoma,) but we have a couple who are running macOS 13 (Ventura.). 

If anyone has an idea as to why this is happening, I'd love to hear your thoughts.  

4 REPLIES 4

jkarpenske
New Contributor III

Also, if I run "sysadminctl -secureTokenStatus (primary user's username)" on a Mac that has no users with secure token (according to our extension attribute,) I get the message "Secure token is DISABLED for user (username)."  

kevin_neely
New Contributor III

We ran into this last year. Sometimes our Enrollment created user accounts would not be given a Secure Token. 

You can create a bootstrap token using the profiles command line tool.  

 

These are some of the options we've used:

  • sudo profiles install -type bootstraptoken: This command generates a new bootstrap token and escrows it to the MDM solution. This command requires existing secure token administrator information to initially generate the bootstrap token and the MDM solution must support the feature.
  • sudo profiles remove -type bootstraptoken: Removes the existing bootstrap token on the Mac and the MDM solution.
  • sudo profiles status -type bootstraptoken: Reports back whether the MDM solution supports the bootstrap token feature, and what the current state of the bootstrap token is on the Mac.
  • sudo profiles validate -type bootstraptoken: Reports back whether the MDM solution supports the bootstrap token feature, and what the current state of the bootstrap token is on the Mac.

 

Could not find a pattern for why this was happening but for the odd time it does this helped.

BookMac
Contributor

Maybe this one helps:
https://github.com/AirBookMac/IssueSecureToken
The User has to be local admin before running this

jkarpenske
New Contributor III

We're currently testing a few changes to our workflow to see if it makes a difference - so far, it seems to be successful.  Here's what we changed:
1.  In the config profile that enables FileVault, we've set it to activate at logout instead of at login.
2.  On first login, while the Mac is still at the helpdesk, we've started asking our clients to temporarily elevate to admin using Admin By Request. 
I'm not sure if either of these (or both) are helping, but we're keeping an eye on things.  So far, the last three Macs to be refreshed have gotten both the Bootstrap token escrowed as well as the SecureToken assigned to the first person to log in.