Eugene
Raynor

What is secure token and why is it important for macOS security?

Eugene Raynor

Jul 29, 2021

16 min read

With the introduction of macOS High Sierra (macOS 10.13), Apple announced a number of changes to the overall security and privacy functionalities on a macOS device. Among these, one significant change was how Apple would handle the ‘chain of trust’ on a macOS system, and how Macs would recognize a ‘trusted’ account on a user’s device. Now, if these terms seem a bit foreign to you, it’s because you haven’t been introduced to Apple’s latest approach to securing users and accounts on a macOS device – With the help of Mac secure tokens.

Manage secure tokens on your macOS devices with Hexnode UEM

What is Mac secure token?

A secure token on a Mac is an account attribute that permits users to perform critical operations on the macOS system, involving processes such as enabling FileVault, approving system and kernel extensions, and enforcing software updates.

For example, in previous versions of macOS that ran on CoreStorage volumes, the keys used in the FileVault encryption process would be generated only when a user tried to enable FileVault on their Mac. However, Apple believed these processes would make the Mac vulnerable to potential attempts to misuse the authority granted to macOS admin accounts.

But this all changed with the introduction of the Apple File System (APFS). For macOS devices running on APFS volumes, the encryption keys are generated either during

  • The user creation process
  • When setting the first user’s password
  • During the first login by a Mac user

But how does this improve security? Well, that’s because these keys aren’t generated for ‘all’ user accounts. These accounts need to pass specific criteria set by Apple to receive encryption keys.

This implementation of encryption keys, rules on when they are generated, and how they are stored, are all part of the feature known as Mac secure tokens.

According to Apple,

“A secure token is a wrapped version of a key encryption key (KEK) protected by a user’s password.”

Some terms you should know

Before we move on, I’d suggest you take a quick look at some of the terms you’ll find being repeatedly used in this blog.

Logging into a macOS device
Logging into a macOS device
 

Administrator account

An administrator account (by default) has complete access to all the functionalities on a macOS device. This includes managing user accounts, adding or removing apps, modifying system files, managing security settings – Basically, any administrative task can be performed by an account with admin privileges. You can have as many administrator accounts as you want on your Mac. However, it is mandatory to have at least one administrator account on a macOS device at all times.

Standard account

Standard accounts are basic user accounts that allow end-users to personalize the settings specific to their own account. However, these accounts have limitations on modifying system settings, accessing other users’ files, and changing the macOS security settings. It is important to note that these accounts can still make administrator-level changes to the system by providing an admin account’s username and password. However, standard accounts cannot modify other user settings, create new users, or delete any existing user from the Mac.

Local account

Local accounts refer to any user account created locally by the macOS system. The user information for these local accounts is stored on the macOS device. These local accounts can have either administrator or standard privileges. However, local account users cannot access the macOS server over the network.

Active Directory mobile account

An Active Directory mobile account enables you to remotely access your Active Directory user account residing in the AD server, even when you’re not connected to the network. Once your Directory Utility’s Active Directory connector sets up your mobile user account, you can use your Active Directory credentials to log in to the AD account on your Mac. As an IT admin, you can configure these mobile accounts to be automatically created, or you can require the AD users to confirm the creation of their mobile accounts.

Auto Admin account

An Auto-Admin account refers to the optional admin account configured to be automatically created on a Mac (during first turn on) via Automated Device Enrollment. The details for the Auto-Admin account, including username, account name and password, along with the option to hide the account from the Login Window and the ‘Users and Groups’ pane, are pushed to the Mac via the DEP configuration profile.

What happens if my account does not have a secure token?

If a user does not have a secure token associated with their account, this account will not have access to perform any critical tasks on the macOS device, including – approving system extensions, kernel extensions, enabling FileVault and approving software updates on a Mac.

IT admin configuring FileVault on a Mac
IT admin configuring FileVault on a Mac
 

But that’s not all. For example, let’s assume your IT has enabled FileVault on your Mac, and the encryption process has finished. Now, once a user powers on a Mac, only the user accounts that have a secure token associated with it will have the authority to decrypt FileVault encryption. Any user account that does not possess a secure token will be hidden from the login window, and can only access the Mac once FileVault has been decrypted.

This basically renders any user account without a secure token useless, once FileVault is enabled.

How does a macOS device grant a secure token?

A secure token is automatically granted to the very first user account on a macOS device. You could create this local user account in either of the two ways. (However, the instance at which the secure token is granted differs based on the how the account is created.)

  • Account is created via Setup Assistant:

When a user turns on the Mac for the first time, the Setup Assistant helps the user configure the first account on the Mac. Once a password has been set up for this account, macOS automatically grants a secure token to this user account.

  • Account is created via Automated Device Enrollment:

When the first account on a Mac is configured to be created via Automated Device Enrollment (ie, the Auto-Admin account), macOS grants this account a secure token when a user logs in to this account for the first time.

It is worth noting that, if you’ve created an account via Automated Device Enrollment (the Auto-Admin account) and did not enable the ‘Skip Setup Assistant’ option, you may end up with two initial accounts in the macOS system. In such cases, macOS will grant secure tokens to both the initial accounts,

  • For the Auto-Admin account – During first login
  • For the Setup Assistant created account – During password creation

Once the initial account has a Secure Token associated with it, any subsequent user accounts created by the secure token enabled account – via System Preferences > Users and Groups – will in turn automatically be granted their own secure tokens.

Why are secure tokens not generated for some accounts?

Now, it is to be noted that, not all types of accounts automatically receive a secure token. Active Directory mobile accounts and user accounts created via command line tools do not automatically receive an associated secure token attribute.

How do I get a secure token for my account?

To manually associate a secure token to your Active Directory mobile accounts, user accounts created via command-line tools (or in general, any account without an associated secure token), you must either,

  • Make use of the sysadminctl commands on a Mac
  • Employ the help of a UEM solution to distribute secure tokens.

The idea behind Apple’s implementation of the Mac secure token attribute is to create a secure chain of trust among the user accounts on a macOS device, thereby ensuring that only trusted accounts can access a FileVault-encrypted Apple File System (APFS) volume, and execute critical operations on a Mac.

Secure token workflow without UEM
Secure token workflow without UEM
 

However, this layer of safety also presents a challenge to IT admins. How can enterprises remotely manage essential configurations, including FileVault, system extensions, kernel extensions, and software updates on Mac, if the macOS device doesn’t grant their users a secure token? Well, let’s see what we can do about this.

How to manage secure tokens using sysadminctl commands

IT can make use of the sysadminctl commands to grant secure tokens to any user account, including Active Directory mobile accounts, and accounts created via command-line tools. However, this process must be done manually after the account has been created. To run the sysadminctl utility, you will require access to a user account with the following pre-requisites:

Pre-requisites

  • Must be an administrator account
  • Must have an associated secure token


How to check secure token status

To check if your user account has a secure token associated with it, open terminal and run the following command

sysadminctl -secureTokenStatus (username)

You will receive an output similar to this:

Secure token is ENABLED for user (username)

Alternatively, you can also use either of the following methods to check the secure token status.

dscl . -read /Users/(username) AuthenticationAuthority
  • If the account is an Active Directory mobile account, you can also check secure token status by navigating to System Preferences > Users and Groups > Login options > Network account server > Open Directory Utility > Directory Editor > username. Here, check for ‘secure token’ under ‘Authentication Authority’. If not present, the account does not have a secure token.

How to manually generate secure token

To generate a secure token and associate it to a user account, you must first log in to an admin user that has secure token enabled. Then, open terminal and run the following command.

sysadminctl -secureTokenOn (username that needs secure token) -password (password of user that needs secure token)

Alternatively, if you would like to enter the password separately in the password dialog box, run the following command.

sysadminctl -secureTokenOn (username that needs secure token) -password -

How to remove secure token

To remove an associated secure token from a user account, you must first log in to an admin user that has secure token enabled. Then, open terminal and run the following command.

sysadminctl -secureTokenOff (username that needs secure token) -password (password of user that needs secure token)

Alternatively, if you would like to enter the password separately in the password dialog box, run the following command.

sysadminctl -secureTokenOff (username that needs secure token) -password -

How does IT manage secure tokens using UEM?

The introduction of secure tokens has forced enterprises to adjust their Unified Endpoint Management workflows so that all corporate Mac accounts receive their corresponding secure tokens. But how exactly have these management workflows changed, and how did they incorporate secure tokens in the enterprise? Let’s find out.

What is Unified Endpoint Management (UEM)?

When deploying a macOS device to the end-user, we know that they are first enrolled in the UEM portal via Apple’s Automated Device Enrollment program. Now, from here, there exist two different device deployment scenarios, each with their own workflows.

Case-1: When the end-user sets up the Mac

Secure token workflow with UEM - Case 1
Secure token workflow with UEM – Case 1
 

Here, the macOS device is configured via Apple School Manager/Apple Business Manager and deployed directly to the end-user. Once the Mac is turned on for the first time, the user is directed to create their account via Setup Assistant.

Note

This account can be either a standard account, or an administrator account, depending on the configuration IT has sent via the DEP configuration profile. Usually, it is best to set the end-user account as a standard account, to prevent users from making any system changes. However, a Mac always requires the presence of at least one administrator account in the system. So how is this requirement met?

This is where Auto-Admin accounts come in. As an IT admin, if you choose to create a standard account via Setup Assistant (or even skip Setup Assistant altogether), then it is mandatory to also set up an Auto-Admin account. The account details and password for the Auto-Admin account is configured in the DEP configuration profile, and the account is automatically created once the Mac is turned on for the first time. The secure token for the auto-admin account is generated during the first account log in.

At the time of writing this blog, Hexnode does not support the ‘Downgrade SetupAssistant-created account to standard privileges’ functionality.

Next, the user sets a password for their account, after which macOS automatically associates a secure token to this user account (regardless of whether the account has standard or admin privileges).

If the UEM solution supports the bootstrap token feature, the bootstrap token is also generated by the Mac and escrowed to the UEM solution.

Once a secure token is associated to the user account, the device management workflow proceeds back to the normal flow.

  • If additional Active Directory mobile accounts (or even accounts created via UEM commands) are set up after the Setup Assistant process, the secure tokens for these accounts will not be automatically generated by the Mac. Instead, IT must grant secure tokens for these accounts from the UEM portal itself.

However, if a bootstrap token is escrowed to the UEM portal, the secure tokens are automatically generated for the mobile accounts when the user logs in for the first time.

  • Now, it is also worth noting that if, an Active Directory mobile user account (or, an account created via UEM commands) that has a secure token associated with it, creates a local user account, this local account will automatically be granted a secure token by the macOS device.

What is Mac bootstrap token?

Bootstrap tokens were introduced in macOS Catalina (10.15) as a method for UEM solutions to automatically grant secure tokens to macOS user accounts. Their primary purpose is to assist with enabling secure tokens for Active Directory mobile accounts and Auto Admin accounts. However, with the changes brought about in WWDC 2020, bootstrap tokens can now be used to grant secure tokens to any user logging into a macOS device. Bootstrap tokens can be generated and escrowed to the UEM server on the first login by any user with an associated secure token. Using the bootstrap token feature of macOS 10.15 or later requires:

  • Supervision
  • UEM vendor support

Support for bootstrap tokens is currently in the works for Hexnode UEM and will be made available in the coming months.
Stay tuned to our feature releases and be the first to know when our new features hit the shelves.

Case-2: When the IT admin sets up the Mac

Secure token workflow with UEM - Case 2
Secure token workflow with UEM – Case 2
 

Here, the macOS device is configured by the IT admin before being deployed to the end-user. In this case, the admin account (created either via Setup Assistant or via the DEP configuration profile) is used to set up and provision the Mac. A secure token is associated to this account either during first login, or after the account password is set (depending on how the account was created).

If the UEM solution supports the bootstrap token feature, the bootstrap token is also generated by the Mac and escrowed to the UEM solution.

Next, the user accounts are set up. There exists three methods that IT admins may use to set up user accounts on a macOS device.

  • Method-1: Suppose you’re associating the Mac with an Active Directory service and setting up mobile accounts (and the bootstrap token is not escrowed to the UEM). Then, when the mobile account users log in for the first time, they will be prompted to enter the credentials of an existing admin account with a secure token (the user can bypass this option if IT doesn’t require granting these user accounts a secure token).
  • Method-2: Suppose IT decides to create local user accounts instead of Active Directory mobile accounts. In that case, these local users are automatically granted a secure token, when they are created from System Preferences > Users and Groups by a secure token enabled admin account.
  • Method-3: Alternatively, if IT decides to create user accounts directly via UEM commands – and the UEM solution has the bootstrap token escrowed – these user accounts will be automatically granted secure tokens when user first logs in. If the bootstrap token is not available, then IT admins can manually grant the secure token from the UEM portal itself.

How to grant secure token using Hexnode UEM?

Enterprises can remotely grant secure tokens to a user account via Hexnode UEM, by making use of the ‘Grant Secure Token’ action in the Hexnode portal. Just select the required macOS device, click on the ‘Grant Secure Token’ option from remote actions, and enter the following details.

Grant secure token via Hexnode UEM

Administrator account details (Details of an existing secure token enabled admin account)

  • Username:
  • Password:

Target account details (Details of the user account that requires the secure token)

  • Username:
  • Password:


Now, if IT requires to create a new user account and grant a secure token to this user account, they can use the ‘Create User Account’ option from remote actions, and check the ‘Grant Secure Token’ box. They will need to provide the username and password of an existing secure token enabled admin account, after which the required user account will be created on the Mac.
Share
  •  
  •  
  •  
  •  
  •  
Eugene Raynor

Seeking what's there lurking over the horizon.

Share your thoughts