Versions Compared

Old Version 10

changes.mady.by.user Erickson, Kyle

Saved on

compared with

New Version Current

changes.mady.by.user Erickson, Kyle

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Campus content

This content applies to:

Content applies to ict
Facultytrue
Stafftrue

Environment

Environment ict
Mactrue

Details

Panel

Managed Mac devices may see a prompt as shown below that asks for a password to enable a secure token. These prompts are legitimate and are required by IT Support Services to be able to support managed Mac devices in the USask community.

Frequently Asked Questions

Expand
titleWhy is a secure token required?

Apple requires administrative accounts to have a secure token to perform several administrative tasks such as resetting a local account password or interacting with FileVault disk encryption. USask managed Mac endpoints have an administrator account that is used by IT Support Services as required, but also may be delegated to faculty or staff to perform administrative tasks.

Info

The administrator account has a unique password per device and is rotated weekly.

Expand
titleWill I lose administrative access (if I have it)?

No, this will not remove administrator access from accounts that currently have it. You are seeing the prompt as we require an existing account with a secure token to add a secure token to the administrator account.

Expand
titleThe prompt is gone, will it come back?

You will be prompted again if we require a your password to enable a secure token on the administrator account.

Expand
titleI don't want to enter my password. Is there another option?

Yes, you can create a temporary account in System Preferences. The policy will look for this account, and if it exists and has a secure token, it will use it instead of prompting.

Username: tempuser

Password: temppa55

Once you've created the account, restart your device. The account will be deleted automatically after the secure token is enabled which should be within an hour.


Images of the Secure Token Prompt


Content specific to it agents
Info

It is possible for users to see this prompt if the administator password is unknown (even if the account has a secure token). In that case the password will be reset but it still requires a user with a secure token to do the reset.

Once the password has been entered successfully you should see the following for the object in Jamf (Inventory\General):

Administrator Password (LAPS): Randomly-Generated-Password

Secure Token (LAPS): Enabled


...

Page properties
hiddentrue
Related issues
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-289799
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-289863
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-289822
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-289809
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-290912
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-291134
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-293207
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-293428
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-293555
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-293732
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-294138
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-294482
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-294598
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-294804
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-296274
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-297517
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-307990
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-402659
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-414241
Jira
serverId1c7b0151-f1d6-37ea-a43a-00edbb3a2308
keyISD-477147