Tracking Secure Token and Volume Owner users in Jamf Pro

With the introduction of APFS, Apple introduced secure tokens which allow users to unlock FileVault. If there are no users who have a secure token, you may find yourself in a position where you cannot enable FileVault or unlock FileVault.

Most recently, with Macs running on Apple silicon, Apple introduced the concept of volume ownership which determines which users are authorized to make changes to the volume. This can happen in at least two important scenarios that come to mind: OS upgrades and OS updates. If there are no users who have volume ownership, you may find yourself unable to perform OS updates.

Whether a user is an administrator or not, can also determine whether there are certain tasks that can be performed.

Apple goes into better detail in this enterprise focused deployment guide over the concepts of Secure Tokens, Volume Ownership and Bootstrap Token. If you’re running newer versions of macOS, Apple has tried to close all gaps where a managed device might be configured without a secure token or volume owner user. Ideally, you don’t have any Macs like this in your environment.

Needless to say, it’s useful to track this information in Jamf Pro. I created two extension attributes to track Secure Token users and Volume Owner users a while ago but never wrote a blog post to cover them.

Secure Token Users

The Secure Token Users extension attribute will report all user accounts who have a secure token. If a user is found to have a secure token, the results will be displayed as:

  • Admins: user1, user2 (or “None” if none found)
  • Non-Admins: user1, user2 (or “None” if none found)

If no user is found to have a secure token, the result will be:

  • “No Secure Token Users”

If an unsupported file system is found, the result will be:

  • Unsupported File System: (File System Type)

Volume Owner Users

The Volume Owner Users extension attribute will report all Volume Owners on Apple Silicon Macs. If a user is found to be a volume owner, the results will be displayed as:

  • Admins: user1, user2 (or “None” if none found)
  • Non-Admins: user1, user2 (or “None” if none found)

If no user is found to have be a volume owner, the result will be:

  • “No Volume Owners”

If an unsupported file system is found, the result will be:

  • Unsupported File System: (File System Type)

If an unsupported architecture, the result will be:

  • Unsupported Platform: (architecture)

Once you’ve got these extension attributes scripts running in your Jamf environment, you can then start to run reports against computers that do not have secure token users and/or volume owner users and take steps to remediate. Or if you want to look at devices in a one-off situation, you can tell which secure token & volume owner users and their admin status. Worst case scenario is the device will need to be backed up, wiped and OS re-installed to go through provisioning again.

One thought on “Tracking Secure Token and Volume Owner users in Jamf Pro

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s