hi there, need help with a situation. we manage a fleet of macos devices both m1 and intel at our company. These devices have an account that is created on enrollment through Hexnode and a user account that is an admin.
the newly enrolled account is made the managed admin and the user account is made a standard account after enrolment…. both the managed admin account and standard user account have the secure token
I want the secure token only with the standard account….is there a way to remove the secure token from managed admin account?..
allot secure token to only non-admin accountSolved
Tags
Replies (5)
try running this script…
sysadminctl -secureTokenOff (username that needs secure token) -password (password of user that needs secure token)
this should delete the secure token from the account
ran the script but I was shown this error
from what I understand the managed account is assigned the secure token when you login with a password….
I did some digging online and it seems you may have to wipe the system and go for manual deployment!!!
You may have to try something else…. try disabling the bootstrap token of your standard account.
Hi there,
Bootstrap tokens are a method for UEM solutions to automatically grant secure tokens to macOS user accounts. Their primary purpose is to assist with enabling secure tokens for Active Directory mobile accounts and Admin accounts automatically created on a Mac (during first turn on) via Automated Device Enrollment. Bootstrap tokens can be generated and associated with the UEM server on the first login by any user with an associated secure token.
Currently, support for bootstrap tokens for Hexnode is in discussion with our developers. Stay tuned to our future releases for new feature updates.
Here, when an IT admin configures a macOS device before being deployed to the end user, the admin account created via Setup Assistant is associated with a secure token during first login or after account password is set. All types of accounts automatically receive a secure token except AD mobile accounts and user accounts created via command line tools.
You always need to set an account as admin. If not, an automatic administrator account auto-admin is set as mandatory even if you skip Setup Assistant and the auto-admin account is generated during the first account login.
You can read more about secure tokens on our blog for an in-depth understanding.
Hope this answer helps you.
Cheers!
Ethan Miller
Hexnode UEM
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Michelle.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
- This reply was modified 3 years ago by Ethan.
manually creating accounts to prevent assigning secure token would help, but that is a lot of trouble and beats the purpose of automated deployments.