Popular topics: How to contact Customer Support? How to manage legal entities using Factorial

Support Home / IT Management / Factorial IT / Mobile Device Management (MDM) / Guides & Ressources
Back

SecureToken rules

The Secure Token is a critical security identifier in macOS that enables actions like changing passwords and creating user accounts, ensuring compliance with Apple’s security standards and proper user management through Factorial IT.

Table of Contents

What is the Secure Token? Why the Secure Token matters for Factorial IT Check the Secure Token status in Factorial IT Transfer SecureToken SecureToken behaviours (MacOS only)

This article explains what the Secure Token is on macOS, its role in local user management, and why it is required for actions such as changing user passwords or creating new user accounts.

 

What is the Secure Token?

The Secure Token is a security identifier generated by macOS and linked to a local user account.

It enables data encryption and decryption through FileVault. A user with a Secure Token is considered “authorized” to perform sensitive system actions such as:

  • Enabling or disabling FileVault
  • Changing another local user’s password (if the user has a Secure Token)
  • Creating a new local user
  • Granting a Secure Token to another account
  • Without a Secure Token, these operations will fail, even if performed by an administrator account

 

Why the Secure Token matters for Factorial IT

Factorial IT relies on the Secure Token to securely manage macOS users.

When resetting a password or creating a new user through Factorial IT, macOS requires that the action be initiated by an account that holds a Secure Token.

This ensures:

  • Compliance with Apple’s security requirements
  • Continued access to the FileVault-encrypted disk
  • Proper execution of user management actions via Factorial IT
 

 

Check the Secure Token status in Factorial IT

The Secure Token status is displayed directly in the Factorial IT cockpit, under the Users tab of the relevant device.

You can quickly verify whether the macOS administrator account used by Factorial IT holds an active Secure Token.

To ensure proper user management via Factorial IT, make sure the administrator account linked to the device has a Secure Token.

 

Transfer SecureToken

If you have an account that has a SecureToken granted and you want an other account to have it, follow this procedure

  1. If needed, Promote the account with SecureToken Granted (must be sudoers)
  2. Run sudo sysadminctl -secureTokenOn seconduseraccount -password - -adminUser firstuseraccount -adminPassword -
  3. To check if the secureToken is enabled on the new account, run sudo sysadminctl -secureTokenStatus seconduseraccount
  4. If needed, Demote the account.

The cockpit can take up to 24 hours to update the local account status on the device’s users tab.

 

SecureToken behaviours (MacOS only)

Creation Method Admin account Non-admin account
Created by Factorial IT during ZTD SecureToken automatically enabled No SecureToken provided
Created automatically by "Admin account" policy SecureToken provided on first login of the account No SecureToken provided
Created manually by customer via Factorial IT SecureToken provided on first login of the account No SecureToken provided
Created manually by customer locally SecureToken provided if created from admin account with SecureToken No SecureToken provided
Created via sysadminctl by customer locally or remotely SecureToken provided if created using admin with SecureToken SecureToken provided if created using admin with SecureToken

 

Was this article helpful?

Give feedback about this article

Related articles

Can’t find what you’re looking for?

Our customer care team is here for you.

Contact us

Knowledge Base Software powered by Helpjuice