Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Tracking for Secure Token in 10.13

Tracking for the SecureToken attribute in 10.13

As part of Apple File System’s FileVault encryption on mac OS High Sierra, Apple introduced Secure Token. This is a new and undocumented account attribute, which is now required to be added to a user account before that account can be enabled for FileVault on an encrypted Apple File System (APFS) volume. To help make sure that at least one account has a Secure Token attribute associated with it, a Secure Token attribute is automatically added to the first account to log into the OS loginwindow on a particular Mac.

There are a few ways to verify if an account has SecureToken enabled. In the GUI, check the user account in Directory Utility > Directory Editor, under 'AuthenticationAuthority'. Leaving a screenshot below.

It's also possible to check using the sysadminctl command when run as Root. Screenshot to follow below.

It'd be good to have some way to track this in the Jamf Pro server, possibly alongside the other attributes listed for accounts in the Local User Accounts window.


Jamf wants to hear your feedback around Jamf Pro: LDAP Servers and Reports!