Jamf Nation Community

Hi @SCCM , thanks for the tip. We don't use config profiles with this setting in our environment.

Hi @junjishimazaki , was also my thought too. I did an unbind directly on his laptop then rebooted. After that our binding policy kicked in an automatically did rebind the client. Unfortunately this did not fix the issue.

You did this when the mac was hard-wired to ethernet correct?

Nope the user was on site with his laptop an we did this via wlan. Is there a difference?

I would do this hard-wired. Sometimes it needs a physical connection to reauth properly. 

@junjishimazakiwe did the unbind and rebind via network cable. Unfortunately it had no effect.

Great job in troubleshooting. I'm glad you found a solution. Definitely a weird one

Thank you very much for this - it helped fix a similar issue for us. Would you know if it is possible to grant a securetoken to a user that has no password? ie: most of our users are SmartCard only and we cannot get past the "enter password for 'user'" portion unless they have a password. For reference, we bind with directory utility and users login to mobile accounts. 99% of our users have no password.

is the only way to do this to have someone login locally?  Can it be automated at all?  I have a remote user who will be a nightmare to walk through this process with over the phone?  Trying to avoid a ship the laptop in situation

Added some osascript to prompt for creds.

#!/bin/bash

username=$(osascript -e 'Tell application "System Events" to display dialog "Enter user username:" default answer ""' -e 'text returned of result' 2>/dev/null)

password=$(osascript -e 'Tell application "System Events" to display dialog "Enter user password:" with hidden answer default answer ""' -e 'text returned of result' 2>/dev/null)

adminUser=$(osascript -e 'Tell application "System Events" to display dialog "Enter admin username:" default answer ""' -e 'text returned of result' 2>/dev/null)

adminPassword=$(osascript -e 'Tell application "System Events" to display dialog "Enter admin password:" with hidden answer default answer ""' -e 'text returned of result' 2>/dev/null)

#Check if your account has securetoken enabled, (it probably does)
# Disable it then reenable it.
sysadminctl -secureTokenStatus "$username"
sysadminctl -secureTokenOff "$username" -password "$password" -adminUser "$adminUser" -adminPassword "$adminPassword"

sysadminctl -secureTokenOn "$username" -password "$password" -adminUser "$adminUser" -adminPassword "$adminPassword"
diskutil apfs UpdatePreboot /

sysadminctl -secureTokenStatus "$username"

exit 0		## Success
exit 1		## Failure

Thank you.  I think this is gonna help resolve the issue faster for our techs.

Doug

Thank you sir. Huge help 

This worked for me in the past, but today the script worked, but the problem persisted. Has anyone run into that issue? 

RJ52 and others who this may help: I found that using the interactive switch in the script below is what works on macOS Sequoia in our environment to fix Secure Token for a user. After running script below and signing back in as user, they are able to run macOS updates with no Touch ID errors.

Log in as admin and launch Terminal.

sudo sysadminctl -secureTokenOff <username> -password password interactive

Password prompt in Terminal: input admin password

Pop up authentication window: input admin password

sudo sysadminctl -secureTokenOn <username> -password password interactive

Pop up authentication window: input admin password

diskutil apfs UpdatePreboot /

@dlondon  I worked this issue with Apple for awhile and was ultimately told that binding to AD is not a model they are going to support in the future and recommended we move to local accounts that care CAC paired if we wanted to ensure secure tokens for our users.

I should clarify, they didn't specifically say binding was not going to be supported. They said that our model of binding, with mobile users who could perform OS Update actions (thus requiring a good secure token) was not following best practices and they recommend the following:

Recommendations Made:
- Push updates via the MDM vs. using the current workflow.
- Implement macOS Kerberos SSO Extension.
- Review this video which we released today explaining new options you will want to implement.

WWDC23 - What’s new in managing Apple devices.

https://developer.apple.com/wwdc23/10040
-Review the Declarative software update section of this second video.

WDC23 - Explore advances in declarative device management

https://developer.apple.com/wwdc23/10041

It's not up to some of us whether folks use a website or not.  That's the system for password changes and preferred method put in place by this University.   I could just as easily say folks shouldn't use local accounts (which happens to be my own opinion but that's mainly because I've never seen them managed before).  At least with an AD or Azure joined environment, there is some control over people's passwords and when they change it through those type systems.    

But apparently Apple wants to get away from mobile/domain joined and go with either local or third party authentication.  I've got JAMF Connect on some systems and those don't have this issue.  The accounts for those aren't mobile.