SecureToken prompt at login for every new mobile account

Originator:eholtam
Number:rdar://38485212 Date Originated:14-Mar-2018 09:30 PM
Status:Open Resolved:
Product:macOS + SDK Product Version:10.13.4b4
Classification:UI/Usability Reproducible:Always
 
Summary:
After installing 10.13.4 b4 (17E170c) I attempted to log in as an AD based user and have it's mobile account created on first login. I was presented with a dialog stating "Enter a SecureToken administrator's name and password to allow this mobile account to log in at startup time..."

This is going to be a mess. All of our users are AD based mobile accounts. 100%. We cannot have every single user that ever logs into our computers have an admin account authorize the account to gain a SecureToken. This is not scalable in the least.

I assume this is to enable a SecureToken on the mobile account that is being created for FileVault use. There has to be a better way to allow AD based mobile accounts to be automatically given SecureTokens. Possibly thru a trust mechanism specifically at bind time, or by an authorized AD forest delivered by UAMDM...something. 

Steps to Reproduce:
1) Bind 10.13.4b4+ to Active Directory
2) Configure the AD settings in Directory Access.app to create a mobile account on login and uncheck the box to prompt for verification
3) Log into the computer as an AD based account

Expected Results:
The account would log in & a SecureToken would be granted since it's authenticated against a trusted directory service.

Actual Results:
A prompt appears asking for admin credentials to give the logged in account a SecureToken.

Version:
10.13.4b4

Notes:
Computer bound to AD
Configured to create a mobile account on login and not prompt for confirmation. 


Troubleshooting Steps and Workarounds : Logged in as an AD user and was presented with the prompt. 

Actions Requested and Additional Comments : There has to be a better way to allow AD based mobile accounts to be automatically given SecureTokens without an admin laying hands on the machine. Possibly thru a trust mechanism specifically at AD bind time or by whitelisting an authorized AD forest delivered by UAMDM...something.

Also submitted to AppleCare Enterprise Support as issue #100466781281

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!