Administer system user accounts. sysadminctl can be used to change user passwords, create new users (including automatically provisioning the user home folder) or to check the status of a user's SecureToken.
Using Sysadminctl On MacOS
In 10.13, sysadminctl is Apple's recommended tool for working with user accounts in the CLI, replacing functionality that has long been provided by dscl and adds new features available only in 10.13.
Both sysadminctl and System Preferences prevent the deletion of the last administrator or secure token-enabled user on a Mac. If the creation of additional local users is scripted using sysadminctl, for those users to be enabled for secure token, current secure token-enabled administrator credentials are required to be supplied either using the interactive option or directly with the -adminUser and -adminPassword flags.
Grant SecureToken to the user User64 (must be run on the local machine using the GUI to authenticate) This will allow the account to login after a reboot on a FileVaulted Mac:$ sudo sysadminctl interactive -secureTokenOn user64 -password newpassword
Suppose that your MDM solution supports bootstrap tokens. In macOS 10.15.4 or later, when a user who is secure token enabled logs in for the first time, a bootstrap token is generated and escrowed to MDM. A bootstrap token can also be generated and escrowed to MDM using the profiles command-line tool, if needed.
In macOS 11 or later, the bootstrap token may also be used for more than just granting secure token to user accounts. On a Mac computer with Apple silicon, the bootstrap token, if available, can be used to authorize the installation of both kernel extensions and software updates when managed using MDM. The bootstrap token is also used to silently authorize an Erase all Content and Settings command when triggered through MDM on macOS 12.0.1 or later.
The sysadminctl command-line tool can be used to specifically modify secure token status for user accounts on a Mac computer. This should be done with caution and only when necessary. Changing the secure token status of a user using sysadminctl always requires the user name and password of an existing secure token-enabled administrator, either interactively or through the appropriate flags on the command. Both sysadminctl and System Settings (macOS 13 or later) or System Preferences (macOS 12.0.1 or earlier) prevent the deletion of the last administrator or secure token-enabled user on a Mac. If the creation of additional local users is scripted using sysadminctl, for those users to be enabled for secure token, current secure token-enabled administrator credentials are required to be supplied either using the interactive option, or directly with the -adminUser and -adminPassword flags with sysadminctl. If not granted a secure token at time of creation, in macOS 11 or later, a local user logging in to a Mac computer is granted a secure token during login if a bootstrap token is available from MDM. Use sysadminctl -h for additional usage instructions.
In macOS 11 or later, the bootstrap token may also be used for more than just granting secure token to user accounts. On a Mac computer with Apple silicon, the bootstrap token, if available, can be used to authorise the installation of both kernel extensions and software updates when managed using MDM. The bootstrap token is also used to silently authorise an Erase all Content and Settings command when triggered through MDM on macOS 12.0.1 or later.
The sysadminctl command-line tool can be used to specifically modify secure token status for user accounts on a Mac computer. This should be done with caution and only when necessary. Changing the secure token status of a user using sysadminctl always requires the username and password of an existing secure token-enabled administrator, either interactively or through the appropriate flags on the command. Both sysadminctl and System Settings (macOS 13 or later) or System Preferences (macOS 12.0.1 or earlier) prevent the deletion of the last administrator or secure token-enabled user on a Mac. If the creation of additional local users is scripted using sysadminctl, for those users to be enabled for secure token, current secure token-enabled administrator credentials are required to be supplied either using the interactive option, or directly with the -adminUser and -adminPassword flags with sysadminctl. If not granted a secure token at time of creation, in macOS 11 or later, a local user logging in to a Mac computer is granted a secure token during login if a bootstrap token is available from MDM. Use sysadminctl -h for additional usage instructions.
If you run sysadminctl -secureTokenStatus firstuseraccount and see a secure token is enabled for that first account but run sysadminctl -secureTokenStatus seconduseraccount and see a secure token is not enabled for that second account, you can try adding a secure token to the second account, so it can turn on FileVault or become a FileVault-enabled account.
Try logging out of the second account and logging into the first account, and then running this command: sudo sysadminctl -secureTokenOn seconduseraccount -password - -adminUser firstuseraccount -adminPassword -
However, Active Directory mobile accounts and user accounts created using command line tools do not automatically get Secure Token attributes associated with these accounts. Without the Secure Token attribute, those accounts are not able to be enabled for FileVault.
Instead, the sysadminctl utility must be used to grant Secure Token to these accounts as a post-account creation action. In that case, the sysadminctl utility must be run by a user account with the following pre-requisites:
Thank you all for this post and particularly rtrouton and mikeymikey.I have found it very interesting because I am in the process of testing FileVault 2 on 10.13.3 for our work place for about 3 weeks now. We are using JSS 9.101.0 at this stage.
When I run sysadminctl -secureTokenStatus [username]I get the same result.sysadminctl[2874:27290] Secure token is DISABLED for user [local adminuser]sysadminctl[2874:27290] Secure token is DISABLED for user [AD user]
Again, only a single account. Run sudo as the management account, try to enable the management account for a secureToken using the management account as the admin user. It worked for me.I had to enter the same password 3 times for the different needs, but it worked.I think this just showed that the management account was in some way in a FileVault deferred status.
Seems apple has not given IT administrators a way to create a secure token when you get into this type of situation. This is an issue for a lot of admins that used deploystuido or some other product to deploy images with out using the setup assistant to create the first Master account (which also creates a secure token) Apple needs to fix this.Marc have you tried upgrading that computer to 10.14? I know upgrading from 10.12 to 10.13.6 automatically created tokens for the admin accounts. Maybe upgrading to 10.14 will also do this?
5) re-run the validation script6) Just to be all belt-and-suspenders about the whole thing, turn on Filevault. Reboot, and login as one of users you manually enabled using this process, to make sure you can actually do it. that never hurts. ?
IT can make use of the sysadminctl commands to grant secure tokens to any user account, including Active Directory mobile accounts, and accounts created via command-line tools. However, this process must be done manually after the account has been created. To run the sysadminctl utility, you will require access to a user account with the following pre-requisites:
The problem with using fdesetup to add an additional user to FileVault is, the account does not show the securetoken as enabled. Instead you should really should use diskutil apfs listCryptoUsers / or sudo fdesetup list -extended to get a proper list of enabled CryptoUsers. I am just pointing out that we are still having non consistent results when checking the FV2 status of a user when using sysadminctl.
Users who fall into this situation are in a pinch and options to get the system to sync the new password to FileVault are limited. You could boot the system up using the PRK (Personal Recovery Key) and then have the Help Desk reset the AD password. This would get you into the system but your FV2 password would never sync. You will be forced to continue to unlock the Mac with the PRK (Personal Recovery Key), then login with the new AD password.
Documentation, Documentation, and Documentation. Say it three times fast! MacAdmins just want Apple to provide proper documentation for features, controls and security settings and Enterprise Fixes. In some cases, Apple provides excellent documentation. An example of this would be the T2 Security Chip Security Overview released in October of last year. In other cases when it comes to binaries like sysadminctl not so much.
Just migrated to a new 2018 MacBook Pro, and somehow my original account (an admin user) was created without a secure token during the migration. I even tried creating a new admin user, logging into that user and trying to run sysadminctl -secureTokenOn justin -password - but getting:
2018-07-30 14:31:05.262 sysadminctl[998:49031] setSecureTokenAuthorizationEnabled error Error Domain=com.apple.OpenDirectory Code=5101 "Authentication server refused operation because the current credentials are not authorized for the requested operation." UserInfo=NSLocalizedDescription=Authentication server refused operation because the current credentials are not authorized for the requested operation., NSLocalizedFailureReason=Authentication server refused operation because the current credentials are not authorized for the requested operation.
Accordingly, System Preferences complained "Some users are not able to unlock the disk" but clicking "Enable Users" did nothing, sysadminctl -secureTokenStatus jrc (my main user) said "DISABLED", and sysadminctl -secureTokenOn ... was useless. 2ff7e9595c
Comments