Grant Secure Token (Mac) - superseded
Log In or Register to download the BES file, and more.

1 Votes

Versioning - This is an older version.

1Grant Secure Token (Mac)1/11/2024 10:15:07 PM
2Grant Secure Token (Mac)5/6/2024 9:34:45 AM


This fixlet uses an existing account with a secure token to grant a secure token to another account.

If the granting user is not an administrator, they will be temporarily elevated for the duration of the script, and then returned to a standard user account.

Logs are written to /Library/Application Support/BigFix/BES Agent/__BESData/__Global/SWDDeployData/SWD_DeploymentResults.log

Property Details

StatusQA - Ready for Production Level Testing
TitleGrant Secure Token (Mac)
Source Release Date1/11/2024 12:00:00 AM
Keywordsmacos, secure token, grant, secure
Added by on 1/11/2024 10:15:07 PM
Last Modified by on 1/11/2024 10:23:07 PM
Counters 840 Views / 1 Download
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.


Used in 226 fixlets and 100 analyses   * Results in a true/false
Show indented relevance
mac of operating system


Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
parameter "mainSWDLogFolder" = "{parent folder of client folder of current site}/__Global/SWDDeployData"
folder create "{parameter "mainSWDLogFolder"}"
parameter "logFile" = "SWD_DeploymentResults.log"
parameter "logFolder" = "{parameter "mainSWDLogFolder"}"

wait sh -c "echo '' >> '{parameter "mainSWDLogFolder"}/{parameter "logFile"}'"
wait sh -c "echo $(date +%Y_%m_%d' '%T) >> '{parameter "mainSWDLogFolder"}/{parameter "logFile"}'"
wait sh -c "echo Action ID: {id of active action} >> '{parameter "mainSWDLogFolder"}/{parameter "logFile"}'"

delete __createfile
delete "__Download/"
createfile until _end_

adminUser="{parameter "adminUser" of action}"
adminPass="{parameter "adminPass" of action}"
receiverUser="{parameter "receiverUser" of action}"
receiverPass="{parameter "receiverPass" of action}"

precheck=$(sysadminctl -secureTokenStatus $adminUser 2>&1)
if [[ "$precheck" == *"ENABLED"* ]]; then
echo "Granting user $adminUser has a secure token. Continuing..." >> "{parameter "logFolder"}/{parameter "logFile"}"
elif [[ "$precheck" == *"DISABLED"* ]]; then
echo "Granting user $adminUser does not have a secure token" >> "{parameter "logFolder"}/{parameter "logFile"}"
exit 1
echo "Error"
exit 2

if [ -z "$adminPass" ]; then

if [ -z "$receiverPass" ]; then

if id -Gn $adminUser | grep -q -w admin;
echo "Granting user $adminUser is an administrator. Continuing..." >> "{parameter "logFolder"}/{parameter "logFile"}"
echo "Granting user $adminUser is NOT an administrator. Temporarily elevating..." >> "{parameter "logFolder"}/{parameter "logFile"}"
dscl . -merge /Groups/admin GroupMembership $adminUser >> "{parameter "logFolder"}/{parameter "logFile"}" 2>&1

yes "" | sysadminctl -secureTokenOn $receiverUser -password $receiverPass -adminUser $adminUser -adminPassword $adminPass >> "{parameter "logFolder"}/{parameter "logFile"}" 2>&1

if [ "$resetUser" = true ]; then
echo "Returning $adminUser to standard user" >> "{parameter "logFolder"}/{parameter "logFile"}"
dseditgroup -o edit -d $adminUser -t user admin >> "{parameter "logFolder"}/{parameter "logFile"}" 2>&1

check=$(sysadminctl -secureTokenStatus $receiverUser 2>&1)
if [[ "$check" == *"ENABLED"* ]]; then
echo "Target user $receiverUser has a secure token" >> "{parameter "logFolder"}/{parameter "logFile"}"
exit 0
elif [[ "$check" == *"DISABLED"* ]]; then
echo "Target user $receiverUser does not have a secure token" >> "{parameter "logFolder"}/{parameter "logFile"}"
exit 1
echo "Error" >> "{parameter "logFolder"}/{parameter "logFile"}"
exit 2
copy "__createfile" "__Download/"
wait chmod +x "__Download/"
wait /bin/zsh "__Download/"
parameter "error" = "{exit code of action}"
delete __createfile
delete "__Download/"

if {parameter "error" != "0"}
exit {parameter "error"}

exit {parameter "error"}
Success Criteria

This action will be considered successful when all lines of the action script have completed successfully.


Social Media:
Share this page on Yammer


Log In or Register to leave comments!
Mitin77 -
Grant Secure Token (Mac) refers to a process in macOS that enables a user account to access FileVault encryption keys, allowing for secure login and access to encrypted data. [url=]uttar pradesh scholarship[/url] This feature is particularly important for managing user authentication and access control in enterprise environments or shared Mac systems. Granting Secure Tokens ensures that users can securely access their encrypted data while maintaining system security and integrity.