Posted on 04-20-2018 11:19 AM
Currently testing the following process here to upgrade our legacy machines from Sierra to High Sierra. One section of the article directs you to create a policy using the Files and Processes option to execute the upgrade. This results in a secure token being granted to your local IT account, but not your managed mobile account once the upgrade is completed.
Here is the command that Files and Processes executes:
/Applications/Install macOS High Sierra.app/Contents/Resources/startosinstall --agreetolicense --rebootdelay 0 | /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -heading "The upgrade to macOS High Sierra is now in progress." -description "You may be prompted to enter your password upon restart." -icon /Applications/Install macOS High Sierra.app/Contents/Resources/ProductPageIcon.icns
The problem was that Files and Processes option executes commands as root. I simply created a script to run the command above as the user. Now, when the user executes the High Sierra upgrade, they receive the secure token and our local IT account isn't given a token.
To grant the local IT account a secure token I created a policy that runs a script while the user is logged in. The script simply executes the following command to enable our local IT account:
sysadminctl -secureTokenOn username_which_needs_secure_token_goes_here -password password_goes_here
Note: For this to work, your user's AD/managed mobile account must have a secure token.
Posted on 07-24-2018 09:49 PM
I have about 30 machines that are not yet upgraded. We are deploying the upgrade through Self Service and not having any luck with secure tokens. It would be nice to at least save the remaining 30. This looks promising - I will give it a try and report results - thanks!