SecureTokens

ChrisTech
Contributor

How is everyone handling SecureTokens? We are seeing issues with password resets outside of macOS and the SecureToken not working anymore, I am guessing because they aren't getting sync'd up. NoMaD is not allowing users to change their passwords anymore from within macOS even though the password criteria is met. 

6 REPLIES 6

mschlosser
Contributor II

NoMAD has been deprecated and I believe is no longer maintained. I would no longer trust it for SSO or expect it to work. I'd. look at jamf connect or screds for similar functionality

RaxiaDK
Contributor II

We don’t. We have jamf connect for IdP login

we use FileVault personals keys. The machine and laps to login

AJPinto
Esteemed Contributor

NoMad is fully end of life, stop using it immediately. 

 

As far as your question goes with Secure Tokens. You need a Secure Token to modify an account with a Secure Token. If you have a user that forgets their password, the user needs to follow the forgot password workflow with FileVault to reset their password. Once the user logs back in to macOS, you have them sync with their IDP password using a tool like Jamf Connect, XCreds or PSSO (not NoMad). If you don't want to use the forgot password workflow with FileVault, you need a second account with a Secure Token on the device, and log in to that account and reset the users password with system settings.

ChrisTech
Contributor

I am trying to script it because we are getting a lot of calls. My script is checking if they have a SecureToken and if they do,  remove it and then re-add one. 

Andrew_R
New Contributor III

You'll need something like this using sysadminctl:

sysadminctl -secureTokenOff <username> -password <user password> -adminUser <admin user> -adminPassword <admin password>


Where <username> is the user name of the user you want Secure Token turned off on
<user password> is the above user's current password on the Mac
<admin user> is an admin user who holds a Secure Token
<admin password> is the above admin user's password

The problem with this is that you need to know the user's current password, and also have an administrative user that has a Secure Token as well.  It's hard to fully automate this when you won't know what the end user's password is going to be.  You can reset the password of course, but then their Keychain is either reset, or no longer accessible (can't remember right now):

sysadminctl -resetPasswordFor <username> -newPassword <new password> -adminUser <admin user> -adminPassword <admin password>
	


For our use case I ended up having a large script that manages particular user accounts, and worst case will end up prompting the end user if needed to enter their password in a Swift Dialog box, but that's an extreme case.  Most of the time I use this before handing the device off to the end user to ensure they get a Secure Token and can enable FileVault.

We do not use an IdP on Macs yet, so things will change a lot when we do in terms of managing Secure Tokens and password resets.

ImAMacGuy
Valued Contributor II

we use the following commands…

 

Remove the SecureToken from the device by typing

sudo fdesetup remove -user <userid>

 

Put a new secureToken down…

sudo sysadminctl -secureTokenOn <userid> -password - -adminUser <localadmin> -adminPassword -