allot secure token to only non-admin account

expand collapsive

hi there, need help with a situation. we manage a fleet of macos devices both m1 and intel at our company. These devices have an account that is created on enrollment through Hexnode and a user account that is an admin.
the newly enrolled account is made the managed admin and the user account is made a standard account after enrolment…. both the managed admin account and standard user account have the secure token
I want the secure token only with the standard account….is there a way to remove the secure token from managed admin account?..

All Replies

  • Participant



    try running this script…
    sysadminctl -secureTokenOff (username that needs secure token) -password (password of user that needs secure token) 
    this should delete the secure token from the account

  • Participant



    from what I understand the managed account is assigned the secure token when you login with a password….
    I did some digging online and it seems you may have to wipe the system and go for manual deployment!!!
    You may have to try something else…. try disabling the bootstrap token of your standard account.

  • Hexnode

    Ethan Miller


    Hi there,

    Bootstrap tokens are a method for UEM solutions to automatically grant secure tokens to macOS user accounts. Their primary purpose is to assist with enabling secure tokens for Active Directory mobile accounts and Admin accounts automatically created on a Mac (during first turn on) via Automated Device Enrollment. Bootstrap tokens can be generated and associated with the UEM server on the first login by any user with an associated secure token.

    Currently, support for bootstrap tokens for Hexnode is in discussion with our developers. Stay tuned to our future releases for new feature updates.

    Here, when an IT admin configures a macOS device before being deployed to the end user, the admin account created via Setup Assistant is associated with a secure token during first login or after account password is set. All types of accounts automatically receive a secure token except AD mobile accounts and user accounts created via command line tools.

    You always need to set an account as admin. If not, an automatic administrator account auto-admin is set as mandatory even if you skip Setup Assistant and the auto-admin account is generated during the first account login.

    You can read more about secure tokens on our blog for an in-depth understanding.

    Hope this answer helps you.

    Ethan Miller
    Hexnode UEM