Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Big Sur User Account Changes for SecureToken #59

Open
miawri opened this issue Oct 16, 2020 · 2 comments
Open

Big Sur User Account Changes for SecureToken #59

miawri opened this issue Oct 16, 2020 · 2 comments

Comments

@miawri
Copy link

miawri commented Oct 16, 2020

Any chance a boolean switch could be included in pycreateuserpkg to deal with this?

If there aren’t any SecureToken enabled users on a Mac, setting a user password will enable SecureToken for that user only. If you use a workflow that programmatically creates a user and sets its password before other user accounts are created, the programmatically created user will be the only SecureToken enabled account. To prevent this from happening, add ;DisabledTags;SecureToken to the programmatically created user’s AuthenticationAuthority attribute prior to setting this user’s password:
sudo dscl . append /Users/mdm_created_admin AuthenticationAuthority “;DisabledTags;SecureToken”
@gregneagle
Copy link
Owner

Sure, there's a chance.

My concern is that is poorly documented and supported by Apple, and I'll get the fun of support questions for this feature, with people expecting me to help them figure out why it doesn't work as they expect. It's also quite difficult to test to see if if has the desired effect. Certainly the code could insert that value into AuthenticationAuthority (though it cannot easily use dscl to do that when installing to a volume other than the current boot volume).

I already have my own solution for this I use internally (I don't actually use createuserpkg.py internally, I use an internal tool that shares code with the pycreateuserpkg project), so working on this is not likely to be a priority any time soon.

@PicoMitchell
Copy link

PicoMitchell commented Mar 20, 2021
edited
Loading

I also think this would be a useful addition to pycreateuserpkg.

In my testing, this does properly prevent an account from being granted a Secure Token on macOS 11 Big Sur, but does not do anything on macOS 10.15 Catalina. Catalina users can still get granted Secure Tokens even after they have this added to their AuthenticationAuthority before being granted a Secure Token.

To avoid some user confusion, maybe the argument could be called something overly specific like "preventSecureTokenOnBigSurOrNewer".

The only references from Apple to this that I've found is at https://support.apple.com/guide/deployment-reference-macos/using-secure-and-bootstrap-tokens-apdff2cf769b/web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gregneagle @PicoMitchell @miawri