gregneagle
commented
4 years ago Sure, there's a chance.
My concern is that is poorly documented and supported by Apple, and I'll get the fun of support questions for this feature, with people expecting me to help them figure out why it doesn't work as they expect. It's also quite difficult to test to see if if has the desired effect. Certainly the code could insert that value into AuthenticationAuthority (though it cannot easily use dscl to do that when installing to a volume other than the current boot volume).
I already have my own solution for this I use internally (I don't actually use createuserpkg.py internally, I use an internal tool that shares code with the pycreateuserpkg project), so working on this is not likely to be a priority any time soon.
PicoMitchell
Any chance a boolean switch could be included in pycreateuserpkg to deal with this?
If there aren’t any SecureToken enabled users on a Mac, setting a user password will enable SecureToken for that user only. If you use a workflow that programmatically creates a user and sets its password before other user accounts are created, the programmatically created user will be the only SecureToken enabled account. To prevent this from happening, add ;DisabledTags;SecureToken to the programmatically created user’s AuthenticationAuthority attribute prior to setting this user’s password: sudo dscl . append /Users/mdm_created_admin AuthenticationAuthority “;DisabledTags;SecureToken”