If you run sysadminctl -secureTokenStatus firstuseraccount and see a secure token is enabled for that first account but run sysadminctl -secureTokenStatus seconduseraccount and see a secure token is not enabled for that second account, you can try adding a secure token to the second account, so it can turn on FileVault or become a FileVault-enabled account.
Try logging out of the second account and logging into the first account, and then running this command: sudo sysadminctl -secureTokenOn seconduseraccount -password - -adminUser firstuseraccount -adminPassword -
You should be prompted first for the password to the first account, and then for the password for the second account.
If it worked, then sysadminctl -secureTokenStatus seconduseraccount should show a secure token enabled for the second account.
If, on the other hand, you get an error message like Operation is not permitted without secure token unlock, you may have to wipe the Mac and reinstall macOS (I’d love to hear differently if folks have a working solution).
10 responses to “Command to add a secure token to a macOS user account”
Would you have a workflow to get FileVault to work on Big Sur
I have a standard users account to login
I was getting the “Operation is not permitted without secure token unlock” message but was able to fix it without a wipe and reinstall for an account using this command:
sudo sysadminctl -adminUser “ourAdminAccount” -adminPassword “password” -secureTokenOn “localUser” -password “theirPassword”
Sweet, thanks for the adminUser/Password bit. Also solved it for me.
Jeff Forrest’s comment worked for me
I’ve been laboring over this problem for more than a month now and I’ve been trying to dig deep into the internet for an answer. I’m just happy enough that I’ve finally solved it and I want to share with others the solution.
For the last part, if you’re still getting an “Operation is not permitted without secure token unlock”, you have to first reset or change the password of the Tokenized account to its original password. In my case, I changed it from its current “12345” password to its original “1234”. Then I did what Jeff Forrest here said, and it all worked perfectly.
What can be done if I don’t have the original password? Anything? or should I just plan a reinstall?
Ditto Duncan’s question, any hope if the original PW is unknown?
With this blog post you have single-handedly solved the problem that Accenture IT providing their services to one of the major technology brands could not solve FOR MONTHS 😀
Thank you!
Thank you, Jeff! Your post saved me from a re-install.
Jeff’s method worked for me, going from 13.4 to 13.5.1 on an MDM-enrolled Mac where the local admin account didn’t get a token, but the 1:1 user account (a teacher) did. So I made the teacher account be admin long enough to set a token for the local admin account, and now all is well. Thank you!