Skip to main content
This article explains what the Secure Token is on macOS, its role in local user management, and why it is required for actions such as changing user passwords or creating new user accounts.

What is the Secure Token?

The Secure Token is a security identifier generated by macOS and linked to a local user account. It enables data encryption and decryption through FileVault. A user with a Secure Token is considered “authorized” to perform sensitive system actions such as:
  • Enabling or disabling FileVault
  • Changing another local user’s password (if the user has a Secure Token)
  • Creating a new local user
  • Granting a Secure Token to another account
Without a Secure Token, these operations will fail, even if performed by an administrator account.

Why the Secure Token matters for Primo

Primo relies on the Secure Token to securely manage macOS users. When resetting a password or creating a new user through Primo, macOS requires that the action be initiated by an account that holds a Secure Token. This ensures:
  • Compliance with Apple’s security requirements
  • Continued access to the FileVault-encrypted disk
  • Proper execution of user management actions via Primo

Check the Secure Token status in Primo

The Secure Token status is displayed directly in the Primo cockpit, under the Users tab of the relevant device. You can quickly verify whether the macOS administrator account used by Primo holds an active Secure Token.
To ensure proper user management via Primo, make sure the administrator account linked to the device has a Secure Token.

Transfer Secure Token

If you have an account that has a SecureToken granted and you want another account to have it, follow this procedure:
  1. If needed, Promote the account with SecureToken Granted (must be sudoers)
  2. Run sudo sysadminctl -secureTokenOn seconduseraccount -password - -adminUser firstuseraccount -adminPassword -
  3. To check if the secureToken is enabled on the new account, run sudo sysadminctl -secureTokenStatus seconduseraccount
  4. If needed, Demote the account.
The cockpit can take up to 24 hours to update the local account status on the device’s users tab.

Secure Token behaviors (macOS only)

Creation MethodAdmin accountNon-admin account
Created by Primo during ZTDSecureToken automatically enabledNo SecureToken provided
Created automatically by “Admin account” policySecureToken provided on first login of the accountNo SecureToken provided
Created manually by customer via PrimoSecureToken provided on first login of the accountNo SecureToken provided
Created manually by customer locallySecureToken provided if created from admin account with SecureTokenNo SecureToken provided
Created via sysadminctl by customer locally or remotelySecureToken provided if created using admin with SecureTokenSecureToken provided if created using admin with SecureToken