Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Remote Actions
  3. Admin actions

Category filter

Grant Secure Token for a local user account in macOS devices

Jump To

Secure Token is a critical macOS account attribute required for cryptographic operations, specifically enabling FileVault disk encryption, managing Kernel Extensions (KEXTs), and authorizing system software updates on APFS volumes.

The Importance of Secure Token

Introduced with macOS High Sierra, Secure Token serves as the “key” to the system’s encrypted volume. Without it, a user cannot unlock a FileVault-enabled disk at the login screen or perform essential administrative system tasks.

  • FileVault Access: Only Secure Token-enabled users appear on the FileVault pre-boot login screen.
  • Chain of Trust: Secure Token is passed from an existing “bootstrap” user to a new user to maintain a secure management chain.
  • System Updates: Required for authorizing certain system-level software updates on modern macOS versions.

Prerequisites and Automatic Granting

To manage Secure Tokens via Hexnode UEM, the device must meet the following criteria:

Requirement Specification
Operating System macOS 10.13 (High Sierra) or later.
Volume Type APFS (Apple File System).
Existing Token An administrator account with an active Secure Token must already exist to “grant” it to others.

Automatic Granting Scenarios:

  • Local admin accounts created via the initial macOS Setup Assistant.
  • Local admin accounts created during DEP (Automated Device Enrollment), provided that admin is the first to log in.

Method 1: Grant Secure Token to an Existing User

Use this remote action to enable Secure Token for a user account that has already been created on the device.

  1. Log in to the Hexnode portal and navigate to the Manage tab.
  2. Select the target macOS device.
  3. Click on Actions > Policies & Accounts > Grant Secure Token.
  4. Under the Grant Secure Token section, configure the following details:
    • Administrator account details: Enter the username and password of the admin user who already has a Secure Token.
    • Target account details: Enter the credentials of the user who needs the Secure Token.

      • Note:


      You may use wildcards to automatically populate these fields from enrollment data.

  5. Click on Grant Token.

Method 2: Grant Secure Token During New User Creation

You can grant the token simultaneously while provisioning a new local account from the UEM console.

  1. Navigate to the Manage tab and select the target device.
  2. Click on Actions > Policies & Accounts > Create User Account.
  3. Enter the required credentials for the new user.
  4. Under the Grant Secure Token section, enter the credentials of an existing admin user who already possesses a Secure Token.
  5. Click on Create.

Troubleshooting Guides

Problem Potential Root Cause Resolution
Target user missing from Login Screen The user does not have a Secure Token on a FileVault-enabled device. Execute the Grant Secure Token action using a valid admin “bootstrap” account to enable the user for pre-boot login.
Action Fails: “Authentication Error” Incorrect Administrator credentials provided. Ensure the Administrator username and password used to grant the token are correct and that the admin account already has a token.
Secure Token not granting on old macOS Device is running a version prior to 10.13. Secure Token is only applicable to macOS 10.13+ on APFS volumes. Verify the OS version in Device Summary.
DEP Admin lacks Secure Token A different user logged in before the DEP Admin. If a standard user logs in first, they may claim the first token. You must use that user’s credentials to grant tokens to others.

Frequently Asked Questions (FAQs)

What happens if no user on the device has a Secure Token?

If the “Chain of Trust” is broken and no user has a Secure Token, you cannot grant tokens via MDM. You may need to use a Recovery Key or an institutional recovery partition to resolve the issue.

Does a user need a Secure Token if FileVault is turned off?

While primarily used for FileVault, Secure Token is increasingly required for other cryptographic tasks like managing KEXTs and system updates. It is best practice to grant it to all primary users.

Can wildcards be used for passwords?

Yes. Hexnode supports the use of wildcards to populate both the Administrator and Target account fields, provided the data was collected during the enrollment process.

Will the user be notified when they receive a token?

The process is silent at the device end. However, the user will now see their account listed on the FileVault login screen upon the next reboot.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Remote Actions