Posted on 12-14-2023 07:58 AM
For our Lab and Classroom deployments, we create several accounts via policy as part of our deployment, including one that is an auto-login account. The problem that we just discovered is that while we do create a local administrator account, since the auto-login account is the first to actually log into the computer, it is the account receiving the secure token.
Does anyone know of a way - other than disabling auto-login and manually logging in to every computer first - to make sure that our local admin account has the secure token, rather than the generic user we are creating?
Posted on 12-14-2023 09:22 AM
Have a read of this:
Use secure token, bootstrap token and volume ownership in deployments – Apple Support (UK)
Never used any of it myself
12-14-2023 09:24 AM - edited 12-14-2023 09:25 AM
I've spent most of the past three days on that page. While it gives some options, it doesn't really give a clean solution, especially when the account that is receiving the Secure Token isn't an administrator. There are also no real secure options that can be automated without having to send a password through the script and/or policy.
Posted on 12-14-2023 09:33 AM
If you know the passwords for the auto log in account maybe modify the scipt on here:
Re: SecureToken for Admin Accounts - Jamf Nation Community - 166011
It just uses the command apple state on the previous link
Posted on 12-18-2023 05:58 AM
You could adjust your set up policies, run an auto login by the admin account first to give it the secure token, then log out and switch to your normal account for auto logging in.
Doesnt help devices already set up, but will help in the future.
You can leave breadcrumbs, to adjust smart group membership and when to pick up each of the auto login accounts. Dont forget to run a jamf recon each time you do a change to let the Jamf server know you have changed things.
Breadcrumbs info...
https://snelson.us/2023/12/breadcrumbs/
Posted on 12-18-2023 07:43 AM
I had been considering this... after they fix the issue with auto-login accounts also not receiving the Secure Token. Currently, since 11.1.1, only the first account that is actively created on the computer itself will receive the Secure Token. I have a ticket in with Jamf about this and have been assigned an engineer to investigate.
Posted on 01-04-2024 05:55 AM
You can either set the password of the account you want to receive the token, before the auto login occurs or...
flag the auto login account from receiving the first token as below;
sudo dscl . -append /Users/<user name> AuthenticationAuthority ";DisabledTags;SecureToken"
https://support.apple.com/en-gb/guide/deployment/dep24dbdcf9e/web