Help

Need to have an admin account filevaulted and issue a secureToken

Mouthbaten_1911
New Contributor III

2 weeks ago

Hello, I would like to enable an admin account that gets filevaulted during enrollment and gets a securetoken and recovery key. What is the best way to do this via Jamf?

0 Kudos
5 REPLIES 5

jamf-42
Valued Contributor II

2 weeks ago

The admin logs in 

0 Kudos

Mouthbaten_1911
New Contributor III
In response to jamf-42

2 weeks ago

Can you further elaborate? 

0 Kudos

Tribruin
Valued Contributor II

2 weeks ago

The general rule of thumb is that the first user to physically login to the computer will get a SecureToken. After that, to give a SecureToken to another user requires either:

(a) for an existing user to give them a Token via sysadminctl tool OR by giving them access to FileVault in System Preferences. 

(b) having a user authenticate themselves at the login screen (assuming the computer has a Bootstrap token, which is should, if enrolled in to Jamf.)

So, you either need to have someone login to the admin account before you give the computer to the user OR create a workflow that asks the user for their password and uses that to grant them a SecureToken via sysadminctl. I don't recommend this as it usually requires prompting the user for a password using a bash script AND requires the admin password to be embedded in the script. 

 

Personally, I don't recommend having an admin account with a secure token. Why do you need it? If a user forgets their password, you have them boot to recovery and use a FIleVault Recovery Key to reset their password. If you need to login to a computer for a user that has left, same thing: Recovery, PRK, profit!

The only users on my computers that have a SecureToken is the local user, who, in most cases, is a standard user. 

FlorianBesel
New Contributor
In response to Tribruin

2 weeks ago

Hey,
whats a good workflow to create more users with a secure token on a mac?
Today we have to login into the first user, give him admin permissions and create the other users, so they get a secure token.

Would be cool if we can create more users without making the first one to an admin user.

0 Kudos

mm2270
Legendary Contributor III

2 weeks ago

I agree 100% with Tribruin. The point of the PRK is to be able to get into the Mac if the user forgets their password, or has left, but importantly, the PRK is specifically for THAT Mac, and not other ones. By enabling a local admin account in FileVault, assuming this account uses a single password across all devices, you are essentially setting things up so if that admin account password gets compromised, all of your Macs are now vulnerable to someone logging into them at the FileVault screen (until the password gets changed). It kind of defeats the purpose.

It also complicates things greatly if you want to rotate that admin password to something random on your Macs. It's just not that easy to do once the account has a SecureToken and is enabled for FileVault.

Lastly, keep in mind that if you use the Personal Recovery Key at the login screen, you get to a standard username/password login window, which then allows you to enter that admin account name and password to get into the Mac to do what you need to do. So you're not going to auto log in to the user's account by using that key at the login screen. All it's doing is unlocking the drive to allow the OS to boot up. Then login normally, do whatever admin-y things you need to do and log out.

0 Kudos