Secure Token Sharing Tool - Rocketman-Tech/rcc GitHub Wiki

Formerly called FileVault User Enablement

The Secure Token Sharing Tool allows Jamf Admins to grant a secure token to a user in a variety of ways.

Quick Start

Using this example setup, the tool will grant the LAPS backdoor admin account created through the BreakGlassAdmin tool a secure token by prompting the logged in user (the secure token holder) for their password. In order to set this up you will need a:

  • Configuration Profile
  • Policy
  • Extension Attribute

Example Configuration Profile

Below is a Managed PLIST that can be deployed through a Configuration Profile to the following domain: tech.rocketman.securetokensharingtool

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>secureTokenHolder</key>
    <array>
      <string>PromptUser</string>
    </array>
    <key>grantSecureToken</key>
    <array>
      <string>LAPS</string>
    </array>
    <key>LAPSUsername</key>
    <string>breakglass</string>
    <key>dialogTitle</key>
    <string>Secure Token Grant</string>
    <key>dialogText</key>
    <string>Please enter your password to grant a secure token.</string>
  </dict>
</plist>

Example Policy

When setting up the Launch a Tool Script in Jamf Pro, use the following script parameters:

Jamf Pro Script Parameters

  • Parameter 4 (Global Options and Tool Name): SecureTokenSharing

Example Extension Attribute

In order to see if the command was successful, deploy this extension attribute to get a list of all FileVault Enabled Users:

Jamf Extension Attribute Script

#!/bin/zsh

# Run the Rocketman tool
result=$(rocketman ListAllFileVaultEnabledUsers)

# Check for errors or empty output
if [[ $? -ne 0 || -z "$result" ]]; then
    result="Rocketman tool failed or returned no output"
fi

echo "<result>$result</result>"

For details on setting up the Jamf Pro Extension Attribute with local keychain storage, visit: List All FileVault Enabled Users

Command Options

Required Parameters

--secureTokenHolder [LAPS | Base64 | PromptUser]

Specifies one or more accounts that hold a Secure Token, necessary for enabling token distribution.

The Base64 option requires credentials in the format username:password encoded in Base64.

If you’re uncertain which account holds a valid Secure Token, you can list multiple accounts, and the system will check each in order until it finds one with the correct permissions.

Adding PromptUser as the final "last resort" option is a practical fallback—this will prompt the user for authentication if no specified accounts have a valid token.

  • Type: array
  • Default: None
  • Example: 
    --secureTokenHolder LAPS dXNlcm5hbWU6cGFzc3dvcmQ= PromptUser

--grantSecureToken [LAPS | Base64 | PromptUser]

Designates one or more accounts to receive a Secure Token.

The Base64 option requires credentials in the format username:password encoded in Base64.

  • Type: array
  • Default: None
  • Example: 
    --grantSecureToken LAPS dXNlcm5hbWU6cGFzc3dvcmQ= PromptUser

Optional Parameters

--basicAuth [Base64]

Provides Base64-encoded API credentials for authentication, required if using the LAPS method for Secure Token distribution.

The Base64 option requires credentials in the format username:password encoded in Base64.

  • Type: string
  • Required: Yes, if LAPS is used
  • Example: 
    --basicAuth dXNlcm5hbWU6cGFzc3dvcmQ=

--LAPSExtensionAttribute [string]

Specifies the extension attribute where the Local Administrator Password Solution (LAPS) password is stored.

  • Type: string
  • Required: Yes, for LAPS
  • Example: 
    --LAPSExtensionAttribute "Attribute Name"

--LAPSUsername [string]

Sets the username of the LAPS account on the device, needed for LAPS-based authentication.

  • Type: string
  • Required: Yes, if using LAPS
  • Example: 
    --LAPSUsername "username"

--domain [string]

Specifies the domain for setting options in local or managed plists.

  • Type: string
  • Default: tech.rocketman.securetokensharingtool
  • Example: 
    --domain "tech.rocketman.customdomain"

User Interaction Options

--dialogTitle [string]

Sets the title of the dialog box presented to the user during authentication.

  • Type: string
  • Default: None
  • Example: 
    --dialogTitle "Secure Token Grant"

--dialogText [string]

Specifies custom text to display within the user prompt dialog.

  • Type: string
  • Default: None
  • Example: 
    --dialogText "Please authenticate to grant a secure token."

--dialogLogo [path]

Indicates the file path for a logo image to display in the dialog, for branding or identification purposes.

  • Type: string
  • Default: None
  • Example: 
    --dialogLogo /path/to/logo.png

Advanced Usage Example

The following example includes all parameters to enable Secure Token distribution with customized dialog options and LAPS-based configuration:

rocketman SecureTokenSharingTool \
  --secureTokenHolder LAPS dXNlcm5hbWU6cGFzc3dvcmQ= PromptUser \
  --grantSecureToken LAPS dXNlcm5hbWU6cGFzc3dvcmQ= PromptUser \
  --basicAuth dXNlcm5hbWU6cGFzc3dvcmQ= \
  --LAPSExtensionAttribute "My Secret Extension Attribute" \
  --LAPSUsername LAPSAccountUsername \
  --dialogTitle "Secure Token Grant" \
  --dialogText "Please authenticate to grant a secure token." \
  --dialogLogo /path/to/logo.png

Important Notes

  • Ensure a valid Secure Token holder is specified; without this, Secure Token granting will fail.
  • Use configuration .plist files for enhanced security and organizational consistency, especially when storing sensitive credentials.

Tip

Professional setup, custom integrations, and SLA-backed support are available.
➡️ Learn more

⚠️ **GitHub.com Fallback** ⚠️