Currently testing the following process here to upgrade our legacy machines from Sierra to High Sierra. One section of the article directs you to create a policy using the Files and Processes option to execute the upgrade. This results in a secure token being granted to your local IT account, but not your managed mobile account once the upgrade is completed.
Here is the command that Files and Processes executes:
/Applications/Install macOS High Sierra.app/Contents/Resources/startosinstall --agreetolicense --rebootdelay 0 | /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -heading "The upgrade to macOS High Sierra is now in progress." -description "You may be prompted to enter your password upon restart." -icon /Applications/Install macOS High Sierra.app/Contents/Resources/ProductPageIcon.icns
The problem was that Files and Processes option executes commands as root. I simply created a script to run the command above as the user. Now, when the user executes the High Sierra upgrade, they receive the secure token and our local IT account isn't given a token.
To grant the local IT account a secure token I created a policy that runs a script while the user is logged in. The script simply executes the following command to enable our local IT account:
sysadminctl -secureTokenOn username_which_needs_secure_token_goes_here -password password_goes_here
Note: For this to work, your user's AD/managed mobile account must have a secure token.
