Big Sur User Account Changes for SecureToken

[miawri]

Any chance a boolean switch could be included in pycreateuserpkg to deal with this?

If there aren’t any SecureToken enabled users on a Mac, setting a user password will enable SecureToken for that user only. If you use a workflow that programmatically creates a user and sets its password before other user accounts are created, the programmatically created user will be the only SecureToken enabled account. To prevent this from happening, add ;DisabledTags;SecureToken to the programmatically created user’s AuthenticationAuthority attribute prior to setting this user’s password:
sudo dscl . append /Users/mdm_created_admin AuthenticationAuthority “;DisabledTags;SecureToken”

[gregneagle]

Sure, there's a chance.

My concern is that is poorly documented and supported by Apple, and I'll get the fun of support questions for this feature, with people expecting me to help them figure out why it doesn't work as they expect. It's also quite difficult to test to see if if has the desired effect. Certainly the code could insert that value into AuthenticationAuthority (though it cannot easily use dscl to do that when installing to a volume other than the current boot volume).

I already have my own solution for this I use internally (I don't actually use createuserpkg.py internally, I use an internal tool that shares code with the pycreateuserpkg project), so working on this is not likely to be a priority any time soon.

[PicoMitchell]

I also think this would be a useful addition to pycreateuserpkg.

In my testing, this does properly prevent an account from being granted a Secure Token on macOS 11 Big Sur, but does not do anything on macOS 10.15 Catalina. Catalina users can still get granted Secure Tokens even after they have this added to their AuthenticationAuthority before being granted a Secure Token.

To avoid some user confusion, maybe the argument could be called something overly specific like "preventSecureTokenOnBigSurOrNewer".

The only references from Apple to this that I've found is at https://support.apple.com/guide/deployment-reference-macos/using-secure-and-bootstrap-tokens-apdff2cf769b/web