I've got a bunch of MBAs that I am upgrading to Big Sur, and then checking that the Bootstrap Token is enabled. They typically have a user Admin account on which the Secure Token is enabled, or that I can get to the point that it's enabled. The enabled user Admin account shows on the fdesetup list, as well as the cryptousers list.
However, the enabled Admin account is frequently a user account that will be removed at some point. So I am also enabling the Secure Token on the system Admin account that's kept on the computer permanently. Frequently the system Admin account is on the fdesetup list, so it's easy enough to use sudo profiles install -type bootstraptoken to enable the Token on the system Admin account.
I have successfully used the below command on several MBAs when the system Admin account was not on the fdesetup list:
sysadminctl -adminUser user -adminPassword “password” -secureTokenOn "admin account" -password “password”
This usually runs successfully. Afterwards both Admin accounts are shown on the fdesetup list. Then I am able to install the Token in the system Admin account. This way we still have a Token enabled account when the local user changes (at which time we remove the old user account and and a new one).
However, I have encountered one computer (so far), a 2020 MBA (not M1) on Big Sur where the above workflow is failing. I'm getting a "sysadminctl d2814:22576] Operation is not permitted without secure unlock token" error when I run it within the user Admin account that is Token enabled.
Any ideas/suggestions?
Thanks!