Posted on 05-06-2021 11:55 AM
I know secure tokens get a lot of airtime around here but I wanted to know if anyone has any solution to granting secure tokens from an execution Policy payload. I am managing 500 machines for a school. A large issue I am having is the inability for startosinstall to install/erase MacOS from the command. The errors point to the fact that the Admin User doesn't have a secure token.
Each machine needs to be setup with an Admin management account and a standard Student local account that will be tied (not bound) to AD. The Admin account is not logged into during setup so it does not get a Secure Token. The Standard User does get a Secure token but cannot grant a Secure token to the Admin account.
I have successfully enabled a Secure Token individually making the student account initially an Admin account and then using
sysadminctl -adminUser "studentUser" -password "studentUserPass" -secureTokenOn "adminUser" -password "adminUserPass"
Once I do this I can change the student user back to standard and it works. Bigger issue is that I have been unable to script or pass variables in that would account for a local user name that is unique to every machine. For example yes I can put a line into the execute line of Files and Processes payload that specifies student1 and student1 password. But I can't do that 500 times. I need something that gets the local user name and passes it in and puts in in my secureTokenOn argument successfully. I have found several examples that look like they would accomplish this but they did not work.
Anyone have any magic in the area?
Posted on 05-08-2021 02:48 AM
Hi @bensams127 solutions in this case depends on the macOS version you use / distribute. Please check out this good article and website from Travelling Tech Guy.
Additional admin with SecureToken, or not?
He has a lot of information regarding Secure Tokens. Hope this will help you.