Prompting for SecureToken Access

Issue/Question

When I attempt to log in on a Mac, I get a message:

Enter a SecureToken administrator's name and password to allow this mobile account to use FileVault.

You can Bypass this to continue creating your mobile account, but if this volume is encrypted, you may not be able to log in when the computer starts up.

Environment

  • WKU-Owned Macs

Cause

To allow logging in with a WKU NetID on Macs, a personalized account is created on the computer upon the first login, with the mobile account type, which does not have administrator rights initially. An administrator account already on the computer must grant SecureToken access to the new account.

FileVault is a security feature that encrypts the computer, enhancing the protection of the operating system. By default, FileVault is disabled.

SecureToken is a setting that permits accounts on the computer to use the computer when FileVault is enabled.

Resolution

  1. When a Mac is prepared or refreshed by ITS, the primary user of the computer should be given SecureToken access during the inital setup process.
  2. A secondary user of the computer can be given SecureToken access by the primary user, if desired.
  3. If the primary user is unable to grant SecureToken access, click Bypass. This will let a secondary user access the computer, as long as FileVault remains disabled.
  4. If FileVault is enabled, only ITS and/or the primary user of the computer will be able to log into the computer.

Details

Article ID: 3612
Created
Wed 8/5/20 4:00 PM
Modified
Fri 8/21/20 10:20 PM