Category Filter

Grant Secure Token for a local user account in macOS devices

Apple introduced Secure Token as an account attribute to perform cryptographic operations, which include enabling FileVault disk encryption and determining whether a user can access a FileVault-enabled volume. Secure Tokens are necessary for the execution of FileVault, KEXTs and software updates. In macOS devices running on APFS (Apple File System) volumes, the FileVault encryption keys are either generated during the creation of the first user, setting the password for that user or when the user logs in to the device for the first time. In previous versions of macOS devices running on CoreStorage volumes, the FileVault encryption keys get generated when FileVault is turned on in the device.

With the addition of the Secure Token feature, Hexnode UEM lets you grant secure token to an existing user by using the credentials of an Admin user for which the secure token has already been granted. You can also grant secure token while you are creating a new local user from the portal. Using Hexnode UEM, you will be able to create a chain of trust within the users of your device.

In a macOS device, Secure Token is automatically granted to two types of accounts:

  1. Local admin user accounts created via the Setup Assistant.
  2. Local admin user accounts created during DEP enrollment. However, the admin user must be the first to log in to the device.
Note:


Secure Token can be enabled on macOS devices running on macOS 10.13 or later.

Grant Secure Token to an existing user on your macOS device

You can follow the steps given below to enable Secure Token for any existing user on your macOS device:

  1. From your Hexnode portal, navigate to Manage Tab and select your device.
  2. Click on Actions > Grant Secure Token.
  3. Under the Administrator account details, enter the credentials of the admin user account for which the secure token has already been enabled.
  4. Under the Target account details, enter the credentials of the user account for which the Secure Token is to be enabled. You can make use of wildcards to automatically populate the corresponding fields from the data provided during device enrollment.
  5. Click on Grant Token.

Secure Token will be granted to the target account by establishing a chain of trust within the users of the device.

Grant Secure Token to a new user on your macOS device

You can follow the steps given below to grant Secure Token for a new user that is created from the Hexnode portal:

  1. Navigate to Manage Tab and select your device.
  2. Click on Actions > Create User Account.
  3. Enter the required credentials for the user.
  4. Under Grant Secure Token, enter the credentials of the admin user account for which the Secure Token has already been enabled. You can make use of wildcards to automatically populate the corresponding fields from the data provided during device enrollment.
  5. Click on Create.

Secure Token will be automatically enabled for the new user when it gets created in the device.

What happens at the device end?

A File Vault-enabled macOS device can be accessed only by the user accounts that have Secure Token enabled. Once you grant Secure Token for a user using Hexnode, the user will be able to log in to the device. All the users without secure token will not be displayed on the login screen of a File Vault-enabled device.