Command to add a secure token to a macOS user account

If you run sysadminctl -secureTokenStatus firstuseraccount and see a secure token is enabled for that first account but run sysadminctl -secureTokenStatus seconduseraccount and see a secure token is not enabled for that second account, you can try adding a secure token to the second account, so it can turn on FileVault or become a FileVault-enabled account.

Try logging out of the second account and logging into the first account, and then running this command: sudo sysadminctl -secureTokenOn seconduseraccount -password - -adminUser firstuseraccount -adminPassword -

You should be prompted first for the password to the first account, and then for the password for the second account.

If it worked, then sysadminctl -secureTokenStatus seconduseraccount should show a secure token enabled for the second account.

If, on the other hand, you get an error message like Operation is not permitted without secure token unlock, you may have to wipe the Mac and reinstall macOS (I’d love to hear differently if folks have a working solution).





13 responses to “Command to add a secure token to a macOS user account”

  1. Tab Nawaz Avatar
    Tab Nawaz

    Would you have a workflow to get FileVault to work on Big Sur
    I have a standard users account to login

  2. Jeff Forrest Avatar
    Jeff Forrest

    I was getting the “Operation is not permitted without secure token unlock” message but was able to fix it without a wipe and reinstall for an account using this command:

    sudo sysadminctl -adminUser “ourAdminAccount” -adminPassword “password” -secureTokenOn “localUser” -password “theirPassword”

    1. Brent Plummer Avatar
      Brent Plummer

      Sweet, thanks for the adminUser/Password bit. Also solved it for me.

  3. Emmanuel Avatar

    Jeff Forrest’s comment worked for me

  4. David Tan Avatar
    David Tan

    I’ve been laboring over this problem for more than a month now and I’ve been trying to dig deep into the internet for an answer. I’m just happy enough that I’ve finally solved it and I want to share with others the solution.

    For the last part, if you’re still getting an “Operation is not permitted without secure token unlock”, you have to first reset or change the password of the Tokenized account to its original password. In my case, I changed it from its current “12345” password to its original “1234”. Then I did what Jeff Forrest here said, and it all worked perfectly.

    1. Duncan Avatar

      What can be done if I don’t have the original password? Anything? or should I just plan a reinstall?

      1. Thomas Avatar

        Ditto Duncan’s question, any hope if the original PW is unknown?

  5. Adam Avatar

    With this blog post you have single-handedly solved the problem that Accenture IT providing their services to one of the major technology brands could not solve FOR MONTHS 😀
    Thank you!

  6. Eric Avatar

    Thank you, Jeff! Your post saved me from a re-install.

  7. Marion Avatar

    Jeff’s method worked for me, going from 13.4 to 13.5.1 on an MDM-enrolled Mac where the local admin account didn’t get a token, but the 1:1 user account (a teacher) did. So I made the teacher account be admin long enough to set a token for the local admin account, and now all is well. Thank you!

  8. Peku Avatar

    I couldn’t get past “Operation is not permitted without secure token unlock” with command line, but surprisingly System Settings Filevault GUI did the trick. It mentioned that some users can’t boot and gave a way to allow that. Obviously the admin account had token etc.

  9. Suraj Avatar

    I am getting an error while upgrading a Mac OS.
    In order to install the MacOS you need to be an owner

Leave a Reply

Your email address will not be published. Required fields are marked *