![mac os mojave 10.14.2 mac os mojave 10.14.2](https://i2.wp.com/isoriver.com/wp-content/uploads/2019/02/macos-mojave-dark-mode-desktop-100761941-large.jpg)
It actually does not enable FileVault, but as I mentioned in the comments at the bottom, you could. Hi! Well, the script is actually made to be used remotely in Jamf Pro. Please tell me if you find something I am missing! Dirty but it works and it’s the only workaround. In case you do end up with a non-admin token holder (and no admin token holder available) you can actually promote the end user to admin, manipulate the tokens and demote again. This makes me believe that my script applied post enrolment, before enabling FileVault is the only way to go. If you want to manipulated tokens, you have to ask the end user for his/her password, whatever approach you take.
![mac os mojave 10.14.2 mac os mojave 10.14.2](https://www.macobserver.com/wp-content/uploads/2018/06/macOS-Mojave-1200w.jpg)
#MAC OS MOJAVE 10.14.2 PASSWORD#
You will have to grant the end user a token… ending up asking for the password again. I ended up having the error on the profile again. However, because the ‘IT Admin’ becomes the token holder, the end user standard account without a token can’t enable FileVault. Just like the command I used in the script to grant a token to both the ‘IT Admin’ and the end user. This works if there are no token holders.
![mac os mojave 10.14.2 mac os mojave 10.14.2](https://i.ytimg.com/vi/Fzd_5DG3iZY/maxresdefault.jpg)
This by using sysadminctl to grant a token to itself post enrolment. I tried something to avoid asking the end user for his/her password. Let me know what you think! Useful? Comment or remarks? Please let me know! I also kept a few ‘echo’ statements in the script for troubleshooting. I’m passing the Admin credentials via the $4 and $5 variable in Jamf Pro, but have a look at this gitHub link in case you want to add more security. To automate Secure Token manipulation, we need the credentials of both the granting as the receiving user account. if the end user is an Admin token holder. I made the script with the idea to run it before enabling FileVault. Once the only token holder is not an admin, it’s game over. This is especially important in case you are limiting the end user to creating a non-admin/standard account or using managed mobile accounts at automated enrolment.Īs said in my previous post, you want to avoid enforcing FileVault on a non-admin if you need multiple accounts with Secure Tokens. The idea is to make sure that you have an Administrator Account with a Secure Token in case you want to be able to manipulate the tokens/FileVault later. I just want to share this attempt to make a script to manage Secure Tokens prior to enabling FileVault. Just a quick post before heading into the weekend, and leaving Secure Tokens far behind me for a couple of days. Note: have a look at my new post regarding additional admin accounts and SecureToken: