From 4f4c955d9a9666c329538390834d7c3f0b8a9154 Mon Sep 17 00:00:00 2001 From: theneiljohnson Date: Tue, 31 Mar 2026 16:10:29 +0100 Subject: [PATCH] Fix bootstrap token check and secure token status guard logic - Fix bootstrap token escrow check to actually execute the command instead of echoing a literal string - Populate SECURE_TOKEN_STATUS variable so disabled/unknown user guards work correctly --- macOS/Config/Bootstrap Token/fixBootstrapToken.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/macOS/Config/Bootstrap Token/fixBootstrapToken.sh b/macOS/Config/Bootstrap Token/fixBootstrapToken.sh index 4a5526c5..86955ac5 100644 --- a/macOS/Config/Bootstrap Token/fixBootstrapToken.sh +++ b/macOS/Config/Bootstrap Token/fixBootstrapToken.sh @@ -41,7 +41,7 @@ function print_status { } # Check if the boostrap token was ever escrowed. If not, stop early as success. -if echo "profiles status -type bootstraptoken" | grep -q "Bootstrap Token escrowed to server: NO"; then +if profiles status -type bootstraptoken 2>&1 | grep -q "Bootstrap Token escrowed to server: NO"; then exit 0 fi @@ -50,6 +50,9 @@ if cat "$logdir/checkBootstrapEscrow.log" | grep -q "Bootstrap Token validated." exit 0 fi +# Check secure token status for the admin account +SECURE_TOKEN_STATUS=$(sysadminctl -secureTokenStatus "$ADMIN_USERNAME" 2>&1) + # Fail early if the account provided does not have secure token enabled if echo "$SECURE_TOKEN_STATUS" | grep -q "Secure token is DISABLED"; then echo "$(date) | Secure token is disabled for $ADMIN_USERNAME. Not proceeding."