macOS Secure Token

Secure Token is a macOS High Sierra or later account attribute, that is required to be added to a user account before that account can be enabled for FileVault on an encrypted Apple File System (APFS) volume. To help make sure that at least one account has a Secure Token attribute associated with it, a Secure Token attribute is automatically added to the first account to log into the OS login window on a particular Mac. Once an account has a Secure Token associated with it, it can create other accounts which will in turn automatically be granted their own Secure Token.

In order for Verify Privilege Manager to support Secure Token during account creation and for password management, a local account with Secure Token enabled must be created on each macOS workstation. The credentials for this account must be set as the Secure Token Management Credential.

When the Secure Token Management Credential is configured in the macOS agent configuration, Verify Privilege Manager will use this credential to create a local account on each macOS workstation. The resulting managed local account will be used during account provisioning and password management to ensure that managed accounts are Secure Token enabled.

If the Secure Token Management Credential is removed in the macOS Agent Configuration, the agent will use the non-Secure Token enabled method of password management and any new users created/managed will not be Secure Token enabled. Any existing users that are Secure Token enabled will fail to have their password managed because without a Secure Token Management Credential macOS will not allow the agent to manage the password of a Secure Token enabled user.

The agent will ignore attempts to manage the service account. This includes provisioning and password management of the service account via LSS. You should not modify the service account, this includes changing its local password. Doing so may invalidate its configuration and cause the agent to fail password management.

Using Multiple Secure Tokens

To Implement multiple Secure Tokens across your macOS estate, you will be required to create a new agent configuration profile within your designated Computer Group.

Using an agent configuration that was created or duplicated using version 11.4.3 or earlier will continue to update the secure token in all agent configurations.

Considerations

• Agents should only belong to a single Computer Group with an active agent configuration.

• The primary agent configuration will need to be disabled, otherwise other configurations will be ignored.

• If an agent is added to more than one Computers Group with an active configuration, the agent may not follow the expected configuration.

Agent Configuration

To use the Secure Token with macOS Agents, the user credential needs to be established and linked to the macOS agent configuration.

1. Navigate to Admin | Configuration, select the Credentials tab.

2. Click Create.

   

3. Under Details enter a Name and Description.

4. Under Settings enter the Account Name and Password for the macOS user account with Secure Token access.

5. Click Save Changes.

6. Navigate to your macOS Computer Group and select Agent Configuration.

   

7. In the Secure Token Enabled Management Credential field, enter the macOS user credential you created in step 2.

8. Click Save Changes.