Help

Unable to REMOVE Secure Token from a user

Go to solution
macservit
New Contributor III

Posted on ‎08-10-2023 02:10 PM

I'm currently working on a workflow to resolve some missing Secure Tokens for users at a client site. Because I don't want to test on production machines, I've got a machine here that I've enrolled in my own Jamf tenant to test against. My issue? I can't REMOVE Secure Token from one of the test users on this machine so I can test the script.

FV is not enabled, the admin user has Secure Token. I run the following command in CLI and get an error:

sudo sysadminctl -adminUser <username> -adminPassword <password> -secureTokenOff <username> -password <user-password>    

Result: "Operation is not permitted without secure token unlock"

(I also played around with the order of things in the command, no difference)

My GoogleFu is failing me because everything I'm finding relates to ADDING Secure Token to a user who does not already have it. 

 

Can anyone shed some light on this for me? Thanks

 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
macservit
New Contributor III

Posted on ‎08-11-2023 07:39 AM

Thanks for all the replies. At the end of the day, the solution was to leverage the Interactive switch in the command. I used the following:

sudo sysadminctl -secureTokenOff <username> -password <userpass> interactive

The username was for the account I was removing Secure Token from. I was then prompted for the logged-in admin credentials.

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
TheAngryYeti
Contributor
Contributor

Posted on ‎08-10-2023 03:20 PM

You cannot remove secure token programmatically from the only/last holder on the machine.  You must have another user that HAS it in order to revoke it from the other.  

0 Kudos

Go to solution
macservit
New Contributor III
In response to TheAngryYeti

Posted on ‎08-10-2023 03:22 PM

Sorry my post wasn’t clear. I have 2 users with Secure Token. Admin account plus “sacrificial” test account that needs to have the token removed.

Sam Bergin
President & Founder
856-243-0150
www.Macserv.com
0 Kudos

Go to solution
TheAngryYeti
Contributor
Contributor
In response to macservit

Posted on ‎08-10-2023 03:26 PM

HA! Ok.  I've have varying success with what you posted above in the past, yet Ive had great success using the interactive commands with it.  Rich does a great job in the mini videos showing how to enable it, just need to substitute the syntax, as long as you are in the account you want to keep ST on you should be able to complete it.

0 Kudos

Go to solution
DG_Edwards
New Contributor II

Posted on ‎08-11-2023 07:31 AM

If you're looking to create test accounts that don't have a secure token the quickest way to accomplish that is to create a policy in jamf with the local accounts payload and put in whatever information you were looking for.  I was testing something else around secure tokens and i learned that these accounts when created and deployed won't have a secure token until you attempt to login with them.  

0 Kudos

Go to solution
macservit
New Contributor III

Posted on ‎08-11-2023 07:39 AM

Thanks for all the replies. At the end of the day, the solution was to leverage the Interactive switch in the command. I used the following:

sudo sysadminctl -secureTokenOff <username> -password <userpass> interactive

The username was for the account I was removing Secure Token from. I was then prompted for the logged-in admin credentials.

0 Kudos