SecureToken learning resources?

Contributor III

I realize that admins have had to deal with securetoken since about 10.13.4 but for various reasons during the 2018 year my campus has not had the resources to keep up on macOS upgrades and we're still at 10.12.x except for new machines that shipped with 10.13.x. Is there a good learning resource to better understand securetoken. Up to this point on systems that prompt for an administrator's account we have just selected bypass going with the assumption that since this didn't exist before, we would attempt to keep the environment the same.

So, now here we are where the year got away from us and Mojave is here with its own quirks and such. I need to move us forward and it seems I can't find a good write up or video on SecureToken or maybe my google kung fu is just weak.

Can anyone point me to anything that does a good job of covering this? I see a number of threads and posts about it but it all feels like bits and pieces. Not only do I need to understand this better and roll out a modern macOS but I've heard in the next few months we'll need to have FileVault going so I'll be looking to figure out how to implement that into our AD and Jamf environment. Both are long overdue but we're trying to get caught up on things.

If anyone can recommend posts, blogs, books, or videos, I'd appreciate it. Thanks.


Contributor II

I'd recommend you start with this excellent January 2018 blog article by @rtrouton. It has a good mix of explanation of what Secure Token is and step-by-step details of how to work with it.

Secure Token and FileVault on Apple File System

Contributor III

Thanks @jefff. That helps some.

One of the things I'd like to do is make sure the prompt is suppressed in our labs when an AD user logs in. There is no need for FileVault there at the current time. I'm going to try setting up a test environment this week to see how this plays out and I'm hoping there's an easy method to deal with this. Maybe someone else will jump in with more info on this???

Contributor III

Ok, so I know I searched through here awhile back and didn't see anything about suppressing the prompt but I just decided to search again and found the following.

More questions likely to follow but maybe the answers will turn up with new searches too.

Valued Contributor

@jhuls Yeah, it would be nice if Apple actually gave us a support article on this... there was definitely some trial-and-error when High Sierra was released last year. This is what I've experienced:

-If you skip user account creation in a PreStage (and have the jamf management account create an additional local user) signing into the additional local user first will give secureToken to that account
-A user created in Setup Assistant will get secureToken
-If a local admin already has secureToken, any new users created with sysadminctl or in System Preferences will also get a token

Contributor III

So, I'm in an AD environment and use mobile accounts. I'm finding that while testing an office laptop that does not have the secureToken prompt suppressed, that no AD account can get a secureToken. It gives me an error on login when prompted and also when entering credentials and then if I use sysadminctl. I don't have Filevault enabled. Currently the only user account that has a secureToken is the local admin account that was created during the DEP process with Jamf. This is on a freshly built High Sierra 10.13.6. Would this be expected?

New Contributor III

Hi Jhuls

What was the answer to your latest post?