Skip to content

Secure Token Sharing Tool

Jump to bottom
geoff-rocketman edited this page Feb 16, 2026 · 8 revisions

Formerly called FileVault User Enablement

The Secure Token Sharing Tool allows Jamf Admins to grant a secure token to a user in a variety of ways.

Quick Start

Using this example setup, the tool will grant the LAPS backdoor admin account created through the BreakGlassAdmin tool a secure token by prompting the logged in user (the secure token holder) for their password. In order to set this up you will need a:

  • Configuration Profile
  • Policy
  • Extension Attribute

Example Configuration Profile

Below is a Managed PLIST that can be deployed through a Configuration Profile to the following domain: tech.rocketman.securetokensharingtool

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>secureTokenHolder</key>
    <array>
      <string>PromptUser</string>
    </array>
    <key>grantSecureToken</key>
    <array>
      <string>LAPS</string>
    </array>
    <key>LAPSUsername</key>
    <string>breakglass</string>
    <key>dialogTitle</key>
    <string>Secure Token Grant</string>
    <key>dialogText</key>
    <string>Please enter your password to grant a secure token.</string>
    <key>clientId</key>
    <string>ENC:...</string>
    <key>clientSecret</key>
    <string>ENC:...</string>
  </dict>
</plist>

Example Policy

When setting up the Launch a Tool Script in Jamf Pro, use the following script parameters:

Jamf Pro Script Parameters

  • Parameter 4 (Global Options and Tool Name): SecureTokenSharingTool

Example Extension Attribute

In order to see if the command was successful, deploy this extension attribute to get a list of all FileVault Enabled Users:

Jamf Extension Attribute Script

#!/bin/zsh

# Run the Rocketman tool
result=$(rocketman ListAllFileVaultEnabledUsers)
fileVaultEnabledUsers=$(echo "$result" | tail -n2 | head -n1)

# Check for errors or empty output
if [[ $? -ne 0 || -z "$fileVaultEnabledUsers" ]]; then
    result="Rocketman tool failed or returned no output"
fi

echo "<result>$fileVaultEnabledUsers</result>"

For details on setting up the Jamf Pro Extension Attribute with local keychain storage, visit: List All FileVault Enabled Users

Command Options

Required Parameters

Use Encrypted Credentials

When using the credentials option for either --secureTokenHolder or --grantSecureToken, you must provide credentials in the format username:password or username:ENC:... or ENC:... created by Encrypt tool.

You can generate a encrypted string and copy it with:

sudo rocketman Encrypt --value username:password

--secureTokenHolder [LAPS | credentials | PromptUser]

Specifies one or more accounts that hold a Secure Token, necessary for enabling token distribution.

The credentials option requires credentials in the format username:password encrypted or not.

If you’re uncertain which account holds a valid Secure Token, you can list multiple accounts, and the system will check each in order until it finds one with the correct permissions.

If you want to use LAPS you will have to pass the credentials --clientId and --clientSecret

Adding PromptUser as the final "last resort" option is a practical fallback—this will prompt the user for authentication if no specified accounts have a valid token.

  • Type: array
  • Default: None
  • Example: 
    --secureTokenHolder LAPS username:ENC:... PromptUser

--grantSecureToken [LAPS | credentials | PromptUser]

Designates one or more accounts to receive a Secure Token.

The credentials option requires credentials in the format username:password encrypted or not.

If you want to use LAPS you will have to pass the credentials --clientId and --clientSecret

  • Type: array
  • Default: None
  • Example: 
    --grantSecureToken LAPS ENC:... PromptUser

Optional Parameters

--clientId [string]

Specifies the encrypted credentials for Jamf API authentication. Required if using the LAPS method for Secure Token distribution.

  • Type: string
  • Required: Yes, if LAPS is used
  • Example: 
    --clientId "myclientid" OR --clientId "ENC:myencryptedclientid"

--clientSecret [string]

Specifies the encrypted credentials for Jamf API authentication. Required if using the LAPS method for Secure Token distribution.

  • Type: string
  • Required: Yes, if LAPS is used
  • Example: 
    --clientSecret "myclientsecret" OR --clientSecret "ENC:myencryptedclientsecret"

--LAPSExtensionAttribute [string]

Specifies the extension attribute where the Local Administrator Password Solution (LAPS) password is stored.

  • Type: string
  • Required: Yes, for LAPS
  • Example: 
    --LAPSExtensionAttribute "Attribute Name"

--LAPSUsername [string]

Sets the username of the LAPS account on the device, needed for LAPS-based authentication.

  • Type: string
  • Required: Yes, if using LAPS
  • Example: 
    --LAPSUsername "username"

--domain [string]

Specifies the domain for setting options in local or managed plists.

  • Type: string
  • Default: tech.rocketman.securetokensharingtool
  • Example: 
    --domain "tech.rocketman.customdomain"

User Interaction Options

--dialogTitle [string]

Sets the title of the dialog box presented to the user during authentication.

  • Type: string
  • Default: None
  • Example: 
    --dialogTitle "Secure Token Grant"

--dialogText [string]

Specifies custom text to display within the user prompt dialog.

  • Type: string
  • Default: None
  • Example: 
    --dialogText "Please authenticate to grant a secure token."

--dialogLogo [path]

Indicates the file path for a logo image to display in the dialog, for branding or identification purposes.

  • Type: string
  • Default: None
  • Example: 
    --dialogLogo /path/to/logo.png

Advanced Usage Example

The following example includes all parameters to enable Secure Token distribution with customized dialog options and LAPS-based configuration:

rocketman SecureTokenSharingTool \
  --secureTokenHolder LAPS ENC:... PromptUser \
  --grantSecureToken LAPS ENC:... PromptUser \
  --clientId ... \
  --clientSecret ... \
  --LAPSExtensionAttribute "My Secret Extension Attribute" \
  --LAPSUsername LAPSAccountUsername \
  --dialogTitle "Secure Token Grant" \
  --dialogText "Please authenticate to grant a secure token." \
  --dialogLogo /path/to/logo.png

Important Notes

  • Ensure a valid Secure Token holder is specified; without this, Secure Token granting will fail.
  • Use configuration .plist files for enhanced security and organizational consistency, especially when storing sensitive credentials.

JSON Schema

{
  "title": "Secure Token Sharing Tool (tech.rocketman.securetokensharingtool)",
  "description": "The Secure Token Sharing Tool allows Jamf Admins to grant a secure token to a user in a variety of ways. Visit https://github.com/Rocketman-Tech/rcc/wiki/Secure-Token-Sharing-Tool for more information.",
  "properties": {
    "secureTokenHolder": {
      "title": "Secure Token Holder(s)",
      "description": "Specify one or more local accounts that currently hold a Secure Token. Define known passwords by entering 'username:password' into the field. Can guess multiple passwords by specifying the same username with different password combinations. Specify 'LAPS' if the password is stored in an Extension Attribute. Specify 'PromptUser' to prompt the user for their password. Will cycle through all specified accounts until a match is found.",
      "type": "array",
      "items": { 
        "type": "string",
        "title": "Secure Token Holder",
        "default": "username:password"
      },
      "property_order": 1
    },
    "grantSecureToken": {
      "title": "User(s) to Grant Secure Token(s) to",
      "description": "Specify one or more local accounts that you want to grant a secure token to. Define known passwords by entering 'username:password' into the field. Can guess multiple passwords by specifying the same username with different password combinations. Specify 'LAPS' if the password is stored in an Extension Attribute. Specify 'PromptUser' to prompt the user for their password. Will grant a secure token to all specified accounts.",
      "type": "array",
      "items": {
        "type": "string",
        "title": "Grant Secure Token To:",
        "default": "username:password"
      },
      "property_order": 2
    },
    "clientId": {
      "title": "Client ID",
      "description": "Specifies the Client ID for Jamf API authentication. Required if the 'LAPS' option is used. Permissions needed: Read Computers, Read Extension Attributes. It is recommended to Encrypt these credentials using RCC's Encrypt tool.",
      "type": "string",
      "property_order": 3
    },
    "clientSecret": {
      "title": "Client Secret",
      "description": "Specifies the Client Secret for Jamf API authentication. Required if the 'LAPS' option is used. Permissions needed: Read Computers, Read Extension Attributes. It is highly recommended to Encrypt these credentials using RCC's Encrypt tool.",
      "type": "string",
      "property_order": 4
    },
    "LAPSExtensionAttribute": {
      "title": "LAPS Extension Attribute",
      "description": "Name of the Extension Attribute in Jamf Pro where the LAPS password is stored. Required if the 'LAPS' option is used.",
      "type": "string",
      "property_order": 5
    },
    "LAPSUsername": {
      "title": "LAPS Username",
      "description": "The username of the LAPS account on the device. Required if the 'LAPS' option is used.",
      "type": "string",
      "property_order": 6
    },
    "dialogTitle": {
      "title": "Dialog Title",
      "description": "Title of the dialog used to prompt the user for their password. Only shown if the 'Prompt User' option is used.",
      "type": "string",
      "property_order": 7,
      "default": "Secure Token Grant"
    },
    "dialogText": {
      "title": "Dialog Text",
      "description": "Custom message used to prompt the user for their password. Only shown if the 'Prompt User' option is used.",
      "type": "string",
      "property_order": 8,
      "default": "Please authenticate to grant a secure token."
    },
    "dialogLogo": {
      "title": "Dialog Logo Path",
      "description": "Full path to a logo image displayed in the dialog window used to prompt the user for their password. Only shown if the 'Prompt User' option is used.",
      "type": "string",
      "property_order": 9,
      "default": "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns"
    }
  }
}

Tip

Professional setup, custom integrations, and SLA-backed support are available.
➡️ Learn more

Introduction

Resources

Tools

Misc

Pipeline

Submit an Issue

Clone this wiki locally