allot secure token to only non-admin accountSolved

try running this script…
sysadminctl -secureTokenOff (username that needs secure token) -password (password of user that needs secure token) 
this should delete the secure token from the account

ran the script but I was shown this error

from what I understand the managed account is assigned the secure token when you login with a password….
I did some digging online and it seems you may have to wipe the system and go for manual deployment!!!
You may have to try something else…. try disabling the bootstrap token of your standard account.

Hi there,

Bootstrap tokens are a method for UEM solutions to automatically grant secure tokens to macOS user accounts. Their primary purpose is to assist with enabling secure tokens for Active Directory mobile accounts and Admin accounts automatically created on a Mac (during first turn on) via Automated Device Enrollment. Bootstrap tokens can be generated and associated with the UEM server on the first login by any user with an associated secure token.

Currently, support for bootstrap tokens for Hexnode is in discussion with our developers. Stay tuned to our future releases for new feature updates.

Here, when an IT admin configures a macOS device before being deployed to the end user, the admin account created via Setup Assistant is associated with a secure token during first login or after account password is set. All types of accounts automatically receive a secure token except AD mobile accounts and user accounts created via command line tools.

You always need to set an account as admin. If not, an automatic administrator account auto-admin is set as mandatory even if you skip Setup Assistant and the auto-admin account is generated during the first account login.

You can read more about secure tokens on our blog for an in-depth understanding.

Hope this answer helps you.

Cheers!
Ethan Miller
Hexnode UEM

• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Michelle.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.
• This reply was modified 2 years, 7 months ago by  Ethan.

manually creating accounts to prevent assigning secure token would help, but that is a lot of trouble and beats the purpose of automated deployments.