{"id":387179,"date":"2024-12-02T15:24:23","date_gmt":"2024-12-02T15:24:23","guid":{"rendered":"https:\/\/www.ninjaone.com\/?post_type=script_hub&#038;p=387179"},"modified":"2024-12-02T15:26:58","modified_gmt":"2024-12-02T15:26:58","slug":"crear-tokens-seguros-en-macos","status":"publish","type":"script_hub","link":"https:\/\/www.ninjaone.com\/es\/script-hub\/crear-tokens-seguros-en-macos\/","title":{"rendered":"Script para crear tokens seguros para macOS: gu\u00eda para profesionales de TI"},"content":{"rendered":"<p>En el panorama de TI actual, gestionar las cuentas de usuario y garantizar un acceso seguro es fundamental para mantener una seguridad del sistema s\u00f3lida. Uno de los aspectos clave de esta gesti\u00f3n en <a href=\"https:\/\/www.ninjaone.com\/es\/supervision-gestion-de-endpoints\/mac-management\/\" target=\"_blank\" rel=\"noopener\">macOS<\/a> es el uso de tokens seguros. <strong>Los tokens seguros<\/strong> son vitales para varias funciones de seguridad, incluyendo la activaci\u00f3n de FileVault y la realizaci\u00f3n de ciertas tareas administrativas.<\/p>\n<p>Este post profundizar\u00e1 en un script que automatiza el proceso de concesi\u00f3n de acceso seguro mediante token a cuentas de usuario en macOS, explicando su importancia, funcionalidad y casos de uso para profesionales de TI y <a href=\"https:\/\/www.ninjaone.com\/es\/que-es-un-msp\" target=\"_blank\" rel=\"noopener\">proveedores de servicios gestionados (MSP)<\/a>.<\/p>\n<h2>Contexto<\/h2>\n<p>Los tokens seguros son una funci\u00f3n de seguridad de macOS que proporciona medidas de autenticaci\u00f3n adicionales, especialmente cuando se trata del cifrado de FileVault. Para los profesionales de TI y los MSP, la gesti\u00f3n de estos tokens es esencial para mantener entornos seguros en numerosos dispositivos.<\/p>\n<p>El script proporcionado simplifica el proceso de conceder acceso seguro mediante token a una cuenta de usuario, incluso creando la cuenta si a\u00fan no existe. Esta automatizaci\u00f3n es especialmente beneficiosa en entornos a gran escala en los que la configuraci\u00f3n manual ser\u00eda poco pr\u00e1ctica y llevar\u00eda mucho tiempo.<\/p>\n<h2>El script<\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">#!\/usr\/bin\/env bash\r\n# Description: Grants secure token access to Service Account. Account will be created if it doesn't exist. Service Accounts will not show up at the desktop login.\r\n# Release Notes: Initial Release\r\n#\r\n# Custom Fields:\r\n#  New Account Password Custom Field: A secure custom field that stores the password for the new user account.\r\n#  Optional Authentication Account Username Custom Field: A secure custom field that stores the username of the admin account that has secure token already on the device.\r\n#\r\n# Parameters:\r\n#  username: Username to grant secure token access to\r\n#  password: Password of user to grant secure token access to\r\n#  adminuser: (Optional) Secure token Admin username - leave blank to prompt local user\r\n#  adminpassword: (Optional) Secure token Admin password - leave blank to prompt local user\r\n#\r\n# Usage: .\/Create-SecureTokenAccount.sh &lt;-u|--username &lt;arg&gt;&gt; &lt;-p|--password &lt;arg&gt;&gt; [-a|--adminuser &lt;arg&gt;] [-d|--adminpassword &lt;arg&gt;]\r\n# &lt;&gt; are required\r\n# [] are optional\r\n# Example: .\/Create-SecureTokenAccount.sh --username test --password Password1 --adminuser admin --adminpassword Password2\r\n#\r\n# Notes:\r\n# By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https:\/\/www.ninjaone.com\/terms-of-use.\r\n# Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. \r\n# Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. \r\n# Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. \r\n# Warranty Disclaimer: The script is provided \u201cas is\u201d and \u201cas available\u201d, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. \r\n# Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. \r\n# Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. \r\n# EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).\r\n#\r\n#\r\n\r\ndie() {\r\n    local _ret=\"${2:-1}\"\r\n    test \"${_PRINT_HELP:-no}\" = yes &amp;&amp; print_help &gt;&amp;2\r\n    echo \"$1\" &gt;&amp;2\r\n    exit \"${_ret}\"\r\n}\r\n\r\nbegins_with_short_option() {\r\n    local first_option all_short_options='upadvh'\r\n    first_option=\"${1:0:1}\"\r\n    test \"$all_short_options\" = \"${all_short_options\/$first_option\/}\" &amp;&amp; return 1 || return 0\r\n}\r\n\r\nGetCustomField() {\r\n    customfieldName=$1\r\n    dataPath=$(printenv | grep -i NINJA_DATA_PATH | awk -F = '{print $2}')\r\n    value=\"\"\r\n    if [ -e \"${dataPath}\/ninjarmm-cli\" ]; then\r\n        value=$(\"${dataPath}\"\/ninjarmm-cli get \"$customfieldName\")\r\n    else\r\n        value=$(\/Applications\/NinjaRMMAgent\/programdata\/ninjarmm-cli get \"$customfieldName\")\r\n    fi\r\n    if [[ \"${value}\" == *\"Unable to find the specified field\"* ]]; then\r\n        echo \"\"\r\n        return 1\r\n    else\r\n        echo \"$value\"\r\n    fi\r\n}\r\n\r\n# THE DEFAULTS INITIALIZATION - OPTIONALS\r\n_arg_username=\r\n_arg_password=\r\n_arg_adminuser=\r\n_arg_adminpassword=\r\n\r\nprint_help() {\r\n    printf '%s\\n' \"Grants secure token access to an account. Account will be created if it doesn't exist.\"\r\n    printf 'Usage: %s &lt;-u|--username &lt;arg&gt;&gt; &lt;-p|--password &lt;arg&gt;&gt; [-a|--adminuser &lt;arg&gt;] [-d|--adminpassword &lt;arg&gt;] [-h|--help]\\n' \"$0\"\r\n    printf '\\t%s\\n' \"-u, --username: Username to grant secure token access to. (Required)\"\r\n    printf '\\t%s\\n' \"-p, --password: Password of user to grant secure token access to. (Required)\"\r\n    printf '\\t%s\\n' \"-a, --adminuser: (Optional) Secure token Admin username. (Leave blank to prompt local user)\"\r\n    printf '\\t%s\\n' \"-d, --adminpassword: (Optional) Secure token Admin password. (Leave blank to prompt local user)\"\r\n    printf '\\t%s\\n' \"-h, --help: Prints help\"\r\n}\r\n\r\nparse_commandline() {\r\n    while test $# -gt 0; do\r\n        _key=\"$1\"\r\n        case \"$_key\" in\r\n        -u | --username)\r\n            test $# -lt 2 &amp;&amp; die \"Missing value for the optional argument '$_key'.\" 1\r\n            _arg_username=\"$2\"\r\n            shift\r\n            ;;\r\n        --username=*)\r\n            _arg_username=\"${_key##--username=}\"\r\n            ;;\r\n        -u*)\r\n            _arg_username=\"${_key##-u}\"\r\n            ;;\r\n        -p | --password)\r\n            test $# -lt 2 &amp;&amp; die \"Missing value for the optional argument '$_key'.\" 1\r\n            _arg_password=\"$2\"\r\n            shift\r\n            ;;\r\n        --password=*)\r\n            _arg_password=\"${_key##--password=}\"\r\n            ;;\r\n        -p*)\r\n            _arg_password=\"${_key##-p}\"\r\n            ;;\r\n        -a | --adminuser)\r\n            test $# -lt 2 &amp;&amp; die \"Missing value for the optional argument '$_key'.\" 1\r\n            _arg_adminuser=\"$2\"\r\n            shift\r\n            ;;\r\n        --adminuser=*)\r\n            _arg_adminuser=\"${_key##--adminuser=}\"\r\n            ;;\r\n        -a*)\r\n            _arg_adminuser=\"${_key##-a}\"\r\n            ;;\r\n        -d | --adminpassword)\r\n            test $# -lt 2 &amp;&amp; die \"Missing value for the optional argument '$_key'.\" 1\r\n            _arg_adminpassword=\"$2\"\r\n            shift\r\n            ;;\r\n        --adminpassword=*)\r\n            _arg_adminpassword=\"${_key##--adminpassword=}\"\r\n            ;;\r\n        -d*)\r\n            _arg_adminpassword=\"${_key##-d}\"\r\n            ;;\r\n        -h | --help)\r\n            print_help\r\n            exit 0\r\n            ;;\r\n        -h*)\r\n            print_help\r\n            exit 0\r\n            ;;\r\n        *)\r\n            _PRINT_HELP=yes die \"FATAL ERROR: Got an unexpected argument '$1'\" 1\r\n            ;;\r\n        esac\r\n        shift\r\n    done\r\n}\r\n\r\nparse_commandline \"$@\"\r\n\r\n# Get Script Variables and override parameters\r\nif [[ -n $(printenv | grep -i newAccountUsername | awk -F = '{print $2}') ]]; then\r\n    _arg_username=$(printenv | grep -i newAccountUsername | awk -F = '{print $2}')\r\nfi\r\nif [[ -n $(printenv | grep -i newAccountPasswordCustomField | awk -F = '{print $2}') ]]; then\r\n    # Get the password from the custom field\r\n    if ! _arg_password=$(GetCustomField \"$(printenv | grep -i newAccountPasswordCustomField | awk -F = '{print $2}')\"); then\r\n        # Exit if the custom field is empty\r\n        if [[ -z \"${_arg_password}\" ]]; then\r\n            echo \"[Error] Custom Field ($(printenv | grep -i newAccountPasswordCustomField | awk -F = '{print $2}')) was not found. Please check that the custom field contains a password.\"\r\n            exit 1\r\n        fi\r\n        # Exit if the custom field is not found\r\n        echo \"[Error] Custom Field ($(printenv | grep -i newAccountPasswordCustomField | awk -F = '{print $2}')) was not found. Please check the custom field name.\"\r\n        exit 1\r\n    fi\r\nfi\r\nif [[ -n $(printenv | grep -i optionalAuthenticationAccountUsername | awk -F = '{print $2}') ]]; then\r\n    _arg_adminuser=$(printenv | grep -i optionalAuthenticationAccountUsername | awk -F = '{print $2}')\r\nfi\r\nif [[ -n $(printenv | grep -i optionalAuthenticationAccountPasswordCustomField | awk -F = '{print $2}') ]]; then\r\n    # Get the password from the custom field\r\n    if ! _arg_adminpassword=$(GetCustomField \"$(printenv | grep -i optionalAuthenticationAccountPasswordCustomField | awk -F = '{print $2}')\"); then\r\n        # Exit if the custom field is empty\r\n        if [[ -z \"${_arg_adminpassword}\" ]]; then\r\n            echo \"[Error] Custom Field ($(printenv | grep -i optionalAuthenticationAccountPasswordCustomField | awk -F = '{print $2}')) was not found. Please check that the custom field contains a password.\"\r\n            exit 1\r\n        fi\r\n        # Exit if the custom field is not found\r\n        echo \"[Error] Custom Field ($(printenv | grep -i optionalAuthenticationAccountPasswordCustomField | awk -F = '{print $2}')) was not found. Please check the custom field name.\"\r\n        exit 1\r\n    fi\r\nfi\r\n\r\n# If both username and password are empty\r\nif [[ -z \"${_arg_username}\" ]]; then\r\n    echo \"[Error] User Name is required.\"\r\n    if [[ -z \"${_arg_password}\" ]]; then\r\n        echo \"[Error] Password is required, please set the password in the secure custom field.\"\r\n    fi\r\n    exit 1\r\nfi\r\n\r\n# If username is not empty and password is empty\r\nif [[ -n \"${_arg_username}\" ]] &amp;&amp; [[ -z \"${_arg_password}\" ]]; then\r\n    echo \"[Error] Password is required, please set the password in the secure custom field.\"\r\n    exit 1\r\nfi\r\n\r\n# If username is not empty and password is empty\r\nif [[ -n \"${_arg_adminuser}\" ]] &amp;&amp; [[ -z \"${_arg_adminpassword}\" ]]; then\r\n    echo \"[Error] Password is required, please set the password in the secure custom field.\"\r\n    exit 1\r\nfi\r\n\r\nUserAccount=$_arg_username\r\nUserPass=$_arg_password\r\nUserFullName=\"ServiceAccount\"\r\nsecureTokenAdmin=$_arg_adminuser\r\nsecureTokenAdminPass=$_arg_adminpassword\r\nmacOSVersionMajor=$(sw_vers -productVersion | awk -F . '{print $1}')\r\nmacOSVersionMinor=$(sw_vers -productVersion | awk -F . '{print $2}')\r\nmacOSVersionBuild=$(sw_vers -productVersion | awk -F . '{print $3}')\r\n\r\n# Check script prerequisites.\r\n\r\n# Exits if macOS version predates the use of SecureToken functionality.\r\n# Exit if macOS &lt; 10.\r\nif [ \"$macOSVersionMajor\" -lt 10 ]; then\r\n    echo \"[Warn] macOS version ${macOSVersionMajor} predates the use of SecureToken functionality, no action required.\"\r\n    exit 0\r\n# Exit if macOS 10 &lt; 10.13.4.\r\nelif [ \"$macOSVersionMajor\" -eq 10 ]; then\r\n    if [ \"$macOSVersionMinor\" -lt 13 ]; then\r\n        echo \"[Warn] macOS version ${macOSVersionMajor}.${macOSVersionMinor} predates the use of SecureToken functionality, no action required.\"\r\n        exit 0\r\n    elif [ \"$macOSVersionMinor\" -eq 13 ] &amp;&amp; [ \"$macOSVersionBuild\" -lt 4 ]; then\r\n        echo \"[Warn] macOS version ${macOSVersionMajor}.${macOSVersionMinor}.${macOSVersionBuild} predates the use of SecureToken functionality, no action required.\"\r\n        exit 0\r\n    fi\r\nfi\r\n\r\n# Exits if $UserAccount already has SecureToken.\r\nif sysadminctl -secureTokenStatus \"$UserAccount\" 2&gt;&amp;1 | grep -q \"ENABLED\"; then\r\n    echo \"${UserAccount} already has a SecureToken. No action required.\"\r\n    exit 0\r\nfi\r\n\r\n# Exits with error if $secureTokenAdmin does not have SecureToken\r\n# (unless running macOS 10.15 or later, in which case exit with explanation).\r\n\r\nif [ -n \"$secureTokenAdmin\" ]; then\r\n    if sysadminctl -secureTokenStatus \"$secureTokenAdmin\" 2&gt;&amp;1 | grep -q \"DISABLED\"; then\r\n        if [ \"$macOSVersionMajor\" -gt 10 ] || [ \"$macOSVersionMajor\" -eq 10 ] &amp;&amp; [ \"$macOSVersionMinor\" -gt 14 ]; then\r\n            echo \"[Warn] Neither ${secureTokenAdmin} nor ${UserAccount} has a SecureToken, but in macOS 10.15 or later, a SecureToken is automatically granted to the first user to enable FileVault (if no other users have SecureToken), so this may not be necessary. Try enabling FileVault for ${UserAccount}. If that fails, see what other user on the system has SecureToken, and use its credentials to grant SecureToken to ${UserAccount}.\"\r\n            exit 0\r\n        else\r\n            echo \"[Error] ${secureTokenAdmin} does not have a valid SecureToken, unable to proceed. Please update to another admin user with SecureToken.\"\r\n            exit 1\r\n        fi\r\n    else\r\n        echo \"[Info] Verified ${secureTokenAdmin} has SecureToken.\"\r\n    fi\r\nfi\r\n\r\n# Creates a new user account.\r\ncreate_user() {\r\n    # Check if the user account exists\r\n    if id \"$1\" &gt;\/dev\/null 2&gt;&amp;1; then\r\n        echo \"[Info] Found existing user account $1.\"\r\n    else\r\n        echo \"[Warn] Account $1 doesn't exist. Attempting to create...\"\r\n        # Create a new user\r\n        dscl . -create \/Users\/\"$1\"\r\n        # Add the display name of the User\r\n        dscl . -create \/Users\/\"$1\" RealName \"$3\"\r\n        # Replace password_here with your desired password to set the password for this user\r\n        dscl . -passwd \/Users\/\"$1\" \"$2\"\r\n        # Set the Unique ID for the New user. Replace with a number that is not already taken.\r\n        LastID=$(dscl . -list \/Users UniqueID | sort -nr -k 2 | head -1 | grep -oE '[0-9]+$')\r\n        NextID=$((LastID + 1))\r\n        dscl . -create \/Users\/\"$1\" UniqueID $NextID\r\n        # Set the group ID for the user\r\n        dscl . -create \/Users\/\"$1\" PrimaryGroupID 20\r\n        # Append the User with admin privilege. If this line is not included the user will be set as standard user.\r\n        # sudo dscl . -append \/Groups\/admin GroupMembership \"$1\"\r\n        echo \"[Info] Account $1 created.\"\r\n    fi\r\n}\r\n# Adds SecureToken to target user.\r\nsecuretoken_add() {\r\n    if [ -n \"$3\" ]; then\r\n        # Admin user name was given. Do not prompt the user.\r\n        sysadminctl \\\r\n            -secureTokenOn \"$1\" \\\r\n            -password \"$2\" \\\r\n            -adminUser \"$3\" \\\r\n            -adminPassword \"$4\"\r\n    else\r\n        # Admin user name was not given. Prompt the local user.\r\n        currentUser=$(stat -f%Su \/dev\/console)\r\n        currentUserUID=$(id -u \"$currentUser\")\r\n        launchctl asuser \"$currentUserUID\" sudo -iu \"$currentUser\" \\\r\n            sysadminctl \\\r\n            -secureTokenOn \"$1\" \\\r\n            -password \"$2\" \\\r\n            interactive\r\n    fi\r\n    # Verify successful SecureToken add.\r\n    secureTokenCheck=$(sysadminctl -secureTokenStatus \"${1}\" 2&gt;&amp;1)\r\n    if echo \"$secureTokenCheck\" | grep -q \"DISABLED\"; then\r\n        echo \"[Error] Failed to add SecureToken to ${1}. Please rerun policy; if issue persists, a manual SecureToken add will be required to continue.\"\r\n        exit 126\r\n    elif echo \"$secureTokenCheck\" | grep -q \"ENABLED\"; then\r\n        echo \"[Info] Successfully added SecureToken to ${1}.\"\r\n    else\r\n        echo \"[Error] Unexpected result, unable to proceed. Please rerun policy; if issue persists, a manual SecureToken add will be required to continue.\"\r\n        exit 1\r\n    fi\r\n}\r\n\r\n# Create new user if it doesn't already exist.\r\ncreate_user \"$UserAccount\" \"$UserPass\" \"$UserFullName\"\r\n# Add SecureToken using provided credentials.\r\nsecuretoken_add \"$UserAccount\" \"$UserPass\" \"$secureTokenAdmin\" \"$secureTokenAdminPass\"\r\n<\/pre>\n<p>&nbsp;<\/p>\n\n<div class=\"in-context-cta\"><p>Accede a m\u00e1s de 300 scripts en el Dojo de NinjaOne<\/p>\n<p><a href=\"https:\/\/www.ninjaone.com\/es\/prueba-gratuita-formulario\/\">Obt\u00e9n acceso<\/a><\/p>\n<\/div>\n<h2>An\u00e1lisis detallado<\/h2>\n<h3>Visi\u00f3n general del script<\/h3>\n<p>El script en cuesti\u00f3n est\u00e1 dise\u00f1ado para conceder acceso seguro mediante token a una cuenta de usuario en macOS, con la capacidad de crear la cuenta si a\u00fan no existe. Aqu\u00ed tienes un desglose detallado paso a paso de c\u00f3mo funciona el script:<\/p>\n<ol>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>An\u00e1lisis de par\u00e1metros<\/strong>: el script comienza definiendo una funci\u00f3n die para manejar errores y una funci\u00f3n print_help para mostrar informaci\u00f3n de uso. A continuaci\u00f3n, analiza los argumentos de la l\u00ednea de comandos para extraer el nombre de usuario, la contrase\u00f1a y, opcionalmente, el nombre de usuario y la contrase\u00f1a de administrador.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Variables de entorno<\/strong>: comprueba si existen variables de entorno que puedan anular los par\u00e1metros de la l\u00ednea de comandos. Si se establecen variables de entorno espec\u00edficas, el script recupera sus valores para utilizarlos como par\u00e1metros.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Comprobaci\u00f3n de la versi\u00f3n de macOS<\/strong>: el script comprueba la versi\u00f3n de macOS para asegurarse de que admite la funcionalidad de token seguro. Sale si la versi\u00f3n de macOS es demasiado antigua para utilizar tokens seguros.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Comprobaci\u00f3n del estado del token de seguridad<\/strong>: comprueba si la cuenta de usuario especificada ya tiene un token seguro. Si la cuenta de usuario ya tiene un token seguro, el script finaliza, ya que no es necesaria ninguna otra acci\u00f3n.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Comprobaci\u00f3n del token de usuario administrador<\/strong>: si se proporciona un nombre de usuario admin, el script verifica que este usuario admin tiene un token seguro. Si no, sale con un error a menos que la versi\u00f3n de macOS sea 10.15 o posterior, en cuyo caso se recomienda un proceso diferente.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Creaci\u00f3n de cuentas de usuario<\/strong>: el script incluye una funci\u00f3n para crear una nueva cuenta de usuario si a\u00fan no existe. Asigna un ID \u00fanico, establece una contrase\u00f1a y configura otros atributos necesarios.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Concesi\u00f3n de token seguro<\/strong>: el script intenta conceder un token seguro a la cuenta de usuario especificada utilizando las credenciales proporcionadas. Si se proporciona el nombre de usuario admin, utiliza esas credenciales; de lo contrario, solicita al usuario local que se autentique.<\/li>\n<\/ol>\n<h2>Posibles casos de uso<\/h2>\n<p>Imagina a un profesional de TI llamado Alex que gestiona una flota de dispositivos macOS para una gran empresa. Alex debe asegurarse de que todas las cuentas de usuario de estos dispositivos tengan tokens seguros para el cifrado de FileVault. Comprobar manualmente y conceder tokens seguros en cada dispositivo llevar\u00eda much\u00edsimo tiempo.<\/p>\n<p>Al desplegar este script a trav\u00e9s de una herramienta de gesti\u00f3n centralizada, Alex puede automatizar el proceso, garantizando que todas las cuentas de usuario de la organizaci\u00f3n dispongan de los tokens seguros necesarios, manteniendo as\u00ed el cumplimiento de las pol\u00edticas de seguridad de la empresa.<\/p>\n<h2>Comparaciones<\/h2>\n<p>Otros m\u00e9todos para conceder tokens seguros suelen implicar la intervenci\u00f3n manual a trav\u00e9s de las Preferencias del Sistema de macOS o el uso de comandos sysadminctl individualmente para cada usuario. Aunque estos m\u00e9todos funcionan, no son escalables para gestionar un gran n\u00famero de dispositivos. El script automatiza estos pasos, haci\u00e9ndolos m\u00e1s eficientes y reduciendo la probabilidad de error humano.<\/p>\n<h2>FAQ<\/h2>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\">\n<h3>\u00bfQu\u00e9 ocurre si la cuenta de usuario ya existe?<\/h3>\n<p>El script comprueba la existencia de la cuenta de usuario y omite el paso de creaci\u00f3n si ya existe.<\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"1\">\n<h3>\u00bfPuedo utilizar este script en versiones anteriores de macOS?<\/h3>\n<p>El script incluye comprobaciones para garantizar que s\u00f3lo se ejecuta en versiones de macOS compatibles con tokens seguros, concretamente macOS 10.13.4 y posteriores.<\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"3\" data-aria-level=\"1\">\n<h3>\u00bfQu\u00e9 pasa si el usuario administrador no tiene un token seguro?<\/h3>\n<p>El script saldr\u00e1 con un error si el usuario administrador no tiene un token seguro, excepto en macOS 10.15 o posterior, donde se sugiere un proceso alternativo.<\/li>\n<\/ul>\n<h2>Implicaciones<\/h2>\n<p>Conceder tokens seguros a las cuentas de usuario es crucial para habilitar FileVault y realizar tareas administrativas de forma segura. La automatizaci\u00f3n de este proceso ayuda a mantener altos niveles de seguridad, garantiza el cumplimiento de las pol\u00edticas de la organizaci\u00f3n y reduce el riesgo de accesos no autorizados.<\/p>\n<h2>Recomendaciones<\/h2>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Actualiza regularmente el script<\/strong>: aseg\u00farate de que el script se mantiene actualizado con los \u00faltimos cambios y pr\u00e1cticas de seguridad de macOS.<\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"1\"><strong>Campos personalizados seguros<\/strong>: utiliza campos personalizados seguros para almacenar informaci\u00f3n confidencial, como contrase\u00f1as.<\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"3\" data-aria-level=\"1\"><strong>Gesti\u00f3n centralizada<\/strong>: despliega el script a trav\u00e9s de una herramienta de gesti\u00f3n centralizada para garantizar la coherencia en todos los dispositivos.<\/li>\n<\/ul>\n<h2>Reflexiones finales<\/h2>\n<p>La automatizaci\u00f3n del proceso de concesi\u00f3n de tokens seguros mediante este script mejora significativamente la <a href=\"https:\/\/www.ninjaone.com\/es\/eficiencia\" target=\"_blank\" rel=\"noopener\">eficacia<\/a> y la seguridad de la gesti\u00f3n de dispositivos macOS. Para los profesionales de TI y los MSP, este script es una herramienta valiosa para mantener unas pr\u00e1cticas de seguridad s\u00f3lidas.<\/p>\n<p>NinjaOne ofrece soluciones integrales que se integran a la perfecci\u00f3n con dichos scripts, proporcionando un enfoque hol\u00edstico de la gesti\u00f3n y la seguridad de TI. Con NinjaOne, puedes agilizar tus flujos de trabajo y garantizar que todos tus dispositivos son seguros y cumplen con las pol\u00edticas de tu organizaci\u00f3n.<\/p>\n","protected":false},"author":35,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","_lmt_disableupdate":"no","_lmt_disable":""},"operating_system":[4210],"use_cases":[4259],"class_list":["post-387179","script_hub","type-script_hub","status-publish","hentry","script_hub_category-macos"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.ninjaone.com\/es\/wp-json\/wp\/v2\/script_hub\/387179","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ninjaone.com\/es\/wp-json\/wp\/v2\/script_hub"}],"about":[{"href":"https:\/\/www.ninjaone.com\/es\/wp-json\/wp\/v2\/types\/script_hub"}],"author":[{"embeddable":true,"href":"https:\/\/www.ninjaone.com\/es\/wp-json\/wp\/v2\/users\/35"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ninjaone.com\/es\/wp-json\/wp\/v2\/comments?post=387179"}],"wp:attachment":[{"href":"https:\/\/www.ninjaone.com\/es\/wp-json\/wp\/v2\/media?parent=387179"}],"wp:term":[{"taxonomy":"script_hub_category","embeddable":true,"href":"https:\/\/www.ninjaone.com\/es\/wp-json\/wp\/v2\/operating_system?post=387179"},{"taxonomy":"use_cases","embeddable":true,"href":"https:\/\/www.ninjaone.com\/es\/wp-json\/wp\/v2\/use_cases?post=387179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}