Help

Secure token

tdenton
Contributor II

a month ago

Afternoon All

So Im going through a process of removing a reduant local admin account from our fleet.
It most cases I have been able to pass the secure token from one admin account to another admin account which I know the password for. This has worked in most cases.

I assume there isnt a way to remove the secure token from that admin account only which then would alllow me to remove the admin account.

I confused by most of these machines have another secure token user however they are not admin. Just trying to get my head around why I cant remove the admin account if another account also has a secure token.

 Machine in some cases have Filevault turn on and we do us jamf connect.

Thanks


0 Kudos
Reply
4 REPLIES 4

AJPinto
Esteemed Contributor

a month ago

Secure Tokens are granted to the 1st account that logs in to macOS, as well as any administrative account that interactively logs in to macOS automatically. Generally speaking in an ideal situation the only one with a secure token is the end user, but if you log in with your shared admin account it will automatically get a secure token also. Im sure each device's situation is unique which would make it very difficult to script as you cant account for all the veriables like how or if this admin account was ever logged in to to have recieved a secure token.

 

It may be worth while to write a script to deploy from Jamf that presents the end user with a popup to enter their credentials to pass their secure token for the script, and use the script with their secure token to remove the secure token from your admin account. There are privacy concerns iwth this as its pretty easy to dump out the users password to a file.

0 Kudos
Reply

tdenton
Contributor II
In response to AJPinto

a month ago

thanks @AJPinto 

If the same admin account was used to enable filevault would that prevent you from removing the account. I think that is what my issues is.

0 Kudos
Reply

AJPinto
Esteemed Contributor
In response to tdenton

a month ago

Its a verabel for sure, but should not really impact the Secure Token. 

 

FileVault also uses tokens, while specifically a Secure Token, they are related. You cannot delete the only user on a device that has a FileVault Token, FileVault tokens are also tied to volume ownership. You do not need an Admin Account with a Secure Token, FileVault token or Volume Ownership, but you cannot delete the only account with these tokens reguadless on if its an admin or standard user.

 

Ideally end users should be enabling FileVault, this should not be done for them. However, so long as your end user also has FileVault access it should not matter if the account that enabled FileVault is deleted.

0 Kudos
Reply

tdenton
Contributor II

a month ago

this is whats puzzling me in most cases there more than one user that has secure token and has access to filevault. But I still cant delete the old admin account

0 Kudos
Reply