Secure Token

New Contributor III

Got a quick question.  We have an admin management account that is created during UI enrollment, and a user account on the computers that starts out as admin, but is demoted to non-admin during the enrollment process.  


I don't want the admin management account to get a secure token, I want the only account with a secure token to be the standard account.  


The problem is that if I log into the management account for any reason, weeks or months after enrollment, the management account gets a secure token! (In addition to the standard account that had a token from the beginning.)  How can I log into the management account without it getting a secure token?



Our devices are all mac-book airs and mac-book pros, and are running Big Sur and Montery. All accounts are local accounts. 



New Contributor II

Any reason you don't want this?   Without the secure token you can't reset the local user's password and do other things.  We've had issues with M1 macbooks preventing the regular user (who is also an admin) from logging in with their password.    It is only with a hidden admin that eventually gets the secure token granted to them from JAMF that we can reset the user's password.

New Contributor

A few reasons:  1) I don't want the management acct to have a secure token because once it has one, it no longer remains hidden on the login screen.  2) once the management acct has a secure token I cannot change its password with the Jamf password reset policy.  It's more important to me to be able to change the management password than the user password because my users are so locked down that even if that PW gets out, no one could do much with it. 3) This site: has some pretty convincing reasons why the user account should be the only account to have a secure token on the device. 

It appears to me that having the bootstrap token enabled is what is causing any user who utilizes the login screen to get a secure token automatically.   So my options could be: 1) disable the bootstrap token on my fleet.  Is this possible and what would the ramifications of this be? 2) Never log into the management account via the login screen (there are some use cases where we need to do this). 3) Delete the secure token on the management account if it ever gets logged into.  I have tried to do this and am prevented because it says I need a "secure token unlock" and research online seems to indicate that this error is only remedied by wiping the computer!  4) find a way to perpetually block management user from ever receiving a secure token. This would be great if it can be done.  


Any assistance you can provide would be much appreciated!!

New Contributor III

@JeanetteA nailed it!  Good to know you are also having issues, Jeanette. 

For me the most important reason is for changing the password of the management account.  This is much easier if they do not have a secure token.  I also don't like the way the management account appears on the logins screen once it has a secure token.  I've also been reading on the site Jeanette referenced above and find the writer's arguments pretty convincing about why only the standard account should have a secure token, from a security perspective. 

Sounds like Jeanette has some good ideas for remediating this if they are workable.  Looking forward to hearing anyone else chime in on this.  

Deleting the secure token on the management account would be great but I have not figured out a way to do this either without getting the "secure token unlock" error message.  

I would love it if there was a way to just block specified users (i.e. management user) from ever receiving a secure token.  

How are others dealing with this?


New Contributor III

Jeanelle mentioned possibly disabling bootstrap - has anyone tried this on their fleet?  Does it cause any issues?


Valued Contributor II

Take a look at this blog article from TTG. It looks like you could, in theory, tag the local admin account with ;DisabledTags;SecureToken tag.

New Contributor III

I asked TTG about the tag option, and TTG responded: "that feature is only to avoid the “first” account created on the system to get a token. Bootstrap overwrites this."

So setting that tag will not work in my use case.  What about a policy that auto deletes and re-creates the admin management account as soon as it finds that account secure tokened?