Bypass Secure Token on AD Accounts

jared_f
Kind of a big deal

Bypass Secure Token on AD Accounts

Anytime a new user is signing in with his/her AD credentials they were being prompted for an administrator username/password to bypass secure token. Here in an excerpt from the attached article explaining what causes the problem:

 

"Ahh SecureToken; the gift that keeps on giving! macOS 10.13.4 introduced this new, undocumented dialog that would appear on first login under the following conditions:

  • If the filesystem is APFS
  • Whether or not FileVault is enabled
  • If the Mac is bound to a directory service (e.g. Active Directory or LDAP)
  • If there is a local administrator account present that has logged in at least once (e.g. the one created during the Setup Assistant).
  • If the account currently logging in will be a directory based mobile account (i.e. it hasn’t been created yet and is logging in for the first time)"

 

Luckily the author of this article has us covered with a custom profile that you can install on the computer level with Meraki to fix this.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadContent</key>
			<dict>
				<key>com.apple.MCX</key>
				<dict>
					<key>Forced</key>
					<array>
						<dict>
							<key>mcx_preference_settings</key>
							<dict>
								<key>cachedaccounts.askForSecureTokenAuthBypass</key>
								<true/>
							</dict>
						</dict>
					</array>
				</dict>
			</dict>
			<key>PayloadDescription</key>
			<string></string>
			<key>PayloadDisplayName</key>
			<string>Custom</string>
			<key>PayloadEnabled</key>
			<true/>
			<key>PayloadIdentifier</key>
			<string>FF71CE36-0F95-42CB-81C6-67F1288AA037</string>
			<key>PayloadOrganization</key>
			<string>Your Organisation</string>
			<key>PayloadType</key>
			<string>com.apple.ManagedClient.preferences</string>
			<key>PayloadUUID</key>
			<string>FF71CE36-0F95-42CB-81C6-67F1288AA037</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string></string>
	<key>PayloadDisplayName</key>
	<string>System - SecureToken Dialog Bypass</string>
	<key>PayloadEnabled</key>
	<true/>
	<key>PayloadIdentifier</key>
	<string>139BEF61-F90E-4BBB-9A3E-EAF3FE090B91</string>
	<key>PayloadOrganization</key>
	<string>Your Organisation</string>
	<key>PayloadRemovalDisallowed</key>
	<true/>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>139BEF61-F90E-4BBB-9A3E-EAF3FE090B91</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Thanks to the author Neil Martin. Here is the link to the article:

https://soundmacguy.wordpress.com/2018/06/02/bypassing-the-securetoken-dialog-for-mobile-accounts/

Find this helpful? Click the kudos button. Thanks!
0 Replies 0
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels