When a Mac is provisioned by an organization
When a Mac is provisioned by an organization before being given to a user, the IT department sets up the device. The local administrative account created in the macOS Setup Assistant used to provision or set up the Mac is granted a SecureToken. In macOS 10.15, if the MDM solution supports the Bootstrap Token feature, a Bootstrap Token is also generated during the macOS setup process and escrowed to the MDM solution. If the managed administrator account logs in to the Mac at a future date and time, the Bootstrap Token is used to automatically grant it SecureToken.
If the Mac is joined to a directory service and configured to create mobile accounts and if there is no Bootstrap Token, directory service users are prompted at first login for an existing SecureToken administratorʼs user name and password to grant their account a SecureToken. The local administrator credentials used to set up the Mac should be entered. If SecureToken isnʼt required, the user clicks Bypass. In macOS 10.13.5 or later, itʼs possible to suppress the SecureToken dialog completely if FileVault isn’t going to be used with the mobile accounts. To suppress the SecureToken dialog, apply a custom settings configuration profile from MDM with the following keys and values:
If the MDM solution supports the Bootstrap Token feature and one was generated by the Mac and escrowed to the MDM solution, Mobile Account users won’t see this prompt. Instead, they are automatically granted a SecureToken during login.
If additional local users are required on the Mac instead of user accounts from a directory service, those local users are automatically granted a SecureToken when they are created in System Preferences > Users & Groups by a current SecureToken-enabled administrator. If creating local users using the command-line is required, the
sysadminctl command-line tool can be used to create users and enable for them for SecureToken.
In these scenarios, the following users can unlock the FileVault-encrypted volume:
The original local administrator used for provisioning
Any additional directory service users granted SecureToken during the login process, either interactively using the dialog prompt or automatically with the Bootstrap Token
Any new local users created in System Preferences
To modify the whether specific accounts can unlock the storage device, the user can use
fdesetup remove -user.
When using one of the above described workflows, SecureToken is managed by macOS without any additional configuration or scripting being needed; it becomes an implementation detail and not something that needs to be actively managed or manipulated.