Unable to REMOVE Secure Token from a user

macservit
New Contributor III

I'm currently working on a workflow to resolve some missing Secure Tokens for users at a client site. Because I don't want to test on production machines, I've got a machine here that I've enrolled in my own Jamf tenant to test against. My issue? I can't REMOVE Secure Token from one of the test users on this machine so I can test the script.

FV is not enabled, the admin user has Secure Token. I run the following command in CLI and get an error:

sudo sysadminctl -adminUser <username> -adminPassword <password> -secureTokenOff <username> -password <user-password>    

Result: "Operation is not permitted without secure token unlock"

(I also played around with the order of things in the command, no difference)

My GoogleFu is failing me because everything I'm finding relates to ADDING Secure Token to a user who does not already have it. 

 

Can anyone shed some light on this for me? Thanks

 

1 ACCEPTED SOLUTION

macservit
New Contributor III

Thanks for all the replies. At the end of the day, the solution was to leverage the Interactive switch in the command. I used the following:

sudo sysadminctl -secureTokenOff <username> -password <userpass> interactive

The username was for the account I was removing Secure Token from. I was then prompted for the logged-in admin credentials.

View solution in original post

5 REPLIES 5

TheAngryYeti
Contributor II
Contributor II

You cannot remove secure token programmatically from the only/last holder on the machine.  You must have another user that HAS it in order to revoke it from the other.  

Sorry my post wasn’t clear. I have 2 users with Secure Token. Admin account plus “sacrificial” test account that needs to have the token removed.

Sam Bergin
President & Founder
856-243-0150
www.Macserv.com

HA! Ok.  I've have varying success with what you posted above in the past, yet Ive had great success using the interactive commands with it.  Rich does a great job in the mini videos showing how to enable it, just need to substitute the syntax, as long as you are in the account you want to keep ST on you should be able to complete it.

DG_Edwards
New Contributor II

If you're looking to create test accounts that don't have a secure token the quickest way to accomplish that is to create a policy in jamf with the local accounts payload and put in whatever information you were looking for.  I was testing something else around secure tokens and i learned that these accounts when created and deployed won't have a secure token until you attempt to login with them.  

macservit
New Contributor III

Thanks for all the replies. At the end of the day, the solution was to leverage the Interactive switch in the command. I used the following:

sudo sysadminctl -secureTokenOff <username> -password <userpass> interactive

The username was for the account I was removing Secure Token from. I was then prompted for the logged-in admin credentials.