Security token

New Contributor


I'm looking for advise. We have Administrator account created during initial OS configuration but for some reasons passwords for this accounts are unknown. We also have mobile accounts that users are using. All is good but we also have around 100 users with broken security token. Those user are able to login but because of broken security token are not able to disable or enable FileVault. I know that i can reset password for local Administrator account using recovery mode and use this account to remove broken token and grant new token for those users  but it would be very difficult to do it for 100 users or much more. I tested this solution and its is working  perfectly but still this is a lot of work. Jamf is storing our recovery keys and my question is if it is possible somehow to use recovery key to remove broken token and grant new one ? I was researching google for quite long but no luck.

Or maybe another brilliant idea ?




Valued Contributor

Hi @Krzysztof, I would first suggest tracking users that have a secure token. You can do this with the extension attribute below. You need to verify if the IT account or the user account has the secure token. Your issue sounds more like a broken password hash issue. Resetting the pw with the FV2 key is the only way to fix this unfortunately. 


If you are looking to start managing secure tokens, I would suggest uploading the bootstrap token to Jamf Pro after automate device enrollment.



#  Created by Benjamin Janowski on 5/16/18.

AllUsers=$(dscl . list /Users | grep -v _)

for EachUser in $AllUsers; do

TokenValue=$(sysadminctl -secureTokenStatus $EachUser 2>&1)
    echo "Checking $EachUser"

	if [[ $TokenValue = *"ENABLED"* ]]; then

    if [[ -z "${SecureTokenUsers[@]}" ]]; then
        echo "<result>No Users</result>"
                printf '%s,' '<result>'"${SecureTokenUsers[@]}"'</result>'