Bypassing the SecureToken dialog for mobile accounts

Ahh SecureToken; the gift that keeps on giving! macOS 10.13.4 introduced this new, undocumented dialog that would appear on first login under the following conditions:

  • If the filesystem is APFS
  • Whether or not FileVault is enabled
  • If the Mac is bound to a directory service (e.g. Active Directory or LDAP)
  • If the account logging in will be a directory based mobile account (i.e. it hasn’t been created yet)

The text reads:

Enter a SecureToken administrator’s name and password to allow this mobile account to log in at startup time.

You can Bypass this to continue creating your mobile account, but you may not be able to log in with this account when the computer starts up until your administrator resolves this issue.

I think Apple has good intentions with this dialog, especially if you’re using mobile accounts in conjunction with FileVault – this gives us an easier way to grant users SecureToken without having to use sysadminctl. But the problems with it are this:

  1. The context of SecureToken is quite technical, this dialog would be confusing to a lot of people.
  2. If you click Bypass, your mobile account is created and you’ll never see this dialog again. If the Mac is encrypted with FileVault, you won’t be able to unlock it with your mobile account credentials. Moreover, if the Mac is not encrypted with FileVault, you won’t be able to enable it with that mobile account.
  3. For shared Macs in lab settings that are not encrypted with FileVault and never will be, this dialog is not necessary, as well as confusing.

With the macOS 10.13.5 update, Apple quietly gave us a preference key to suppress it:

The domain is com.apple.MCX and the key is a boolean: cachedaccounts.askForSecureTokenAuthBypass 

Set it to TRUE and you’re done!

Here’s a Configuration Profile that would do it:

As a footnote, another way to avoid this dialog would be to switch to network based directory accounts. However, that would mean that the Mac must always be able to reach your directory service in order for users to log in, since network accounts aren’t cached (even if their home areas are local and do persist on disk).

Advertisements

Author: n.martin

Managing 450-odd Macs at a university, innit.

One thought on “Bypassing the SecureToken dialog for mobile accounts”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s