allot secure token to only non-admin accountSolved

Participant
Discussion
3 years ago

hi there, need help with a situation. we manage a fleet of macos devices both m1 and intel at our company. These devices have an account that is created on enrollment through Hexnode and a user account that is an admin.
the newly enrolled account is made the managed admin and the user account is made a standard account after enrolment…. both the managed admin account and standard user account have the secure token
I want the secure token only with the standard account….is there a way to remove the secure token from managed admin account?..

Replies (5)

Marked SolutionPending Review
Participant
3 years ago
Marked SolutionPending Review

try running this script…
sysadminctl -secureTokenOff (username that needs secure token) -password (password of user that needs secure token) 
this should delete the secure token from the account

Marked SolutionPending Review
Participant
3 years ago
Marked SolutionPending Review

ran the script but I was shown this error

Marked SolutionPending Review
Participant
3 years ago
Marked SolutionPending Review

from what I understand the managed account is assigned the secure token when you login with a password….
I did some digging online and it seems you may have to wipe the system and go for manual deployment!!!
You may have to try something else…. try disabling the bootstrap token of your standard account.

Marked SolutionPending Review
Hexnode Expert
3 years ago
Marked SolutionPending Review

Hi there,

Bootstrap tokens are a method for UEM solutions to automatically grant secure tokens to macOS user accounts. Their primary purpose is to assist with enabling secure tokens for Active Directory mobile accounts and Admin accounts automatically created on a Mac (during first turn on) via Automated Device Enrollment. Bootstrap tokens can be generated and associated with the UEM server on the first login by any user with an associated secure token.

Currently, support for bootstrap tokens for Hexnode is in discussion with our developers. Stay tuned to our future releases for new feature updates.

Here, when an IT admin configures a macOS device before being deployed to the end user, the admin account created via Setup Assistant is associated with a secure token during first login or after account password is set. All types of accounts automatically receive a secure token except AD mobile accounts and user accounts created via command line tools.

You always need to set an account as admin. If not, an automatic administrator account auto-admin is set as mandatory even if you skip Setup Assistant and the auto-admin account is generated during the first account login.

You can read more about secure tokens on our blog for an in-depth understanding.

Hope this answer helps you.

Cheers!
Ethan Miller
Hexnode UEM

  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Michelle.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
  • This reply was modified 2 years, 11 months ago by  Ethan.
Marked SolutionPending Review
Participant
3 years ago
Marked SolutionPending Review

manually creating accounts to prevent assigning secure token would help, but that is a lot of trouble and beats the purpose of automated deployments.