Possible to include SecureAdminPass as a parameter?

[Freda72]

Hi there.

What needs to be changed if a want admin password to be included as a parameter? I have tried to figure it out but soon realized that Iam no good at coding..

Regards Freda

[mpanighetti]

Here's the section of the script you'd want to modify for that:

https://github.com/mpanighetti/add-securetoken-to-logged-in-user/blob/master/Add%20SecureToken%20to%20Logged-In%20User.sh#L151-L155

Just comment out the while loop lines, then set secureTokenAdminPass to a new Jamf Pro parameter ($6 and later are not taken). A few things to note, however:

• I intentionally left out a SecureToken admin password parameter because script parameters are passed to the system and used "in the clear" as plaintext, and I assumed people didn't want their SecureToken admin passwords to be potentially intercepted while the script ran (though this is still possible, I wanted to minimize the risk). The Mac admin community has come up with some solutions to lightly obfuscate parameter passwords (though these are not perfect); here's one example provided by Jamf: https://github.com/jamf/Encrypted-Script-Parameters

• This modification will remove the password validation step, which means the script may fail for unknown reasons if the password is entered incorrectly. To restore this behavior, add the following line after your SecureToken admin password definition but before the script attempts to grant SecureToken:

  local_account_password_validation "$secureTokenAdmin" "$targetUserPass"

Hope that helps!

[Freda72]

Hi. When I run the script from Jamf I get tis error Script result: ✅ Verified ***** has SecureToken. &&&&&&&& missing SecureToken, prompting for credentials... 35:43: execution error: An error of type -10810 has occurred. (-10810) ❌ ERROR: A password was not entered for &&&&&&&&, unable to proceed. Please rerun policy; if issue persists, a manual SecureToken add will be required to continue.

I dont get the option to enter a password. I have not yet inserted the validation string

But if I run it Terminal on a computer where I dont have a Secure Token it works perfecly with modification to Jamf Pro parameters but then I have admin password in clear text.

Du you have any idea what is going wrong?

[mpanighetti]

Can you share the changes you made to the script?

[Freda72]

secureTokenAdmin="Admin" secureTokenAdminPass="AdminPassword" #added this at line 26

147 # Add SecureToken to $loggedInUser. 148 while [[ $(/usr/sbin/sysadminctl -secureTokenStatus "$loggedInUser" 2>&1) =~ "DISABLED" ]]; do 149 150 # Get $secureTokenAdmin password. 151 /bin/echo "$loggedInUser missing SecureToken, prompting for credentials..." 152 #while [[ $(/usr/bin/dscl "/Local/Default" authonly "$secureTokenAdmin" "$targetUserPass" > "/dev/null" 2>&1; /bin/echo $?) -ne 0 ]]; do 153 #local_account_password_prompt "$secureTokenAdmin" ". User's credentials are needed to grant a SecureToken to $loggedInUser." 154 #local_account_password_validation "$secureTokenAdmin" "$targetUserPass" 155 #done 156 #secureTokenAdminPass="$targetUserPass"

So the only change I have made is added line 26 and marked out 150-156 Since it works when Iam running it locally Iam thinking that it might be an issue when running a script from Jamf Pro, but that seems wierd..

[mpanighetti]

One possibility is that your SecureToken admin password contains special characters that are breaking out of the string when run via Jamf Pro. Try changing it to a simpler password and seeing if it successfully runs in the policy, that'd be a good test at least.