{"id":353666,"date":"2024-08-27T15:56:46","date_gmt":"2024-08-27T15:56:46","guid":{"rendered":"https:\/\/www.ninjaone.com\/script-hub\/creer-un-jetons-securises-macos\/"},"modified":"2024-10-13T19:09:45","modified_gmt":"2024-10-13T19:09:45","slug":"creer-un-jetons-securises-macos","status":"publish","type":"script_hub","link":"https:\/\/www.ninjaone.com\/fr\/script-hub\/creer-un-jetons-securises-macos\/","title":{"rendered":"Script pour cr\u00e9er des jetons s\u00e9curis\u00e9s pour macOS : Un guide pour les professionnels de l&rsquo;informatique"},"content":{"rendered":"<p>Dans le monde informatique actuel, la gestion des comptes d&rsquo;utilisateurs et la garantie d&rsquo;un acc\u00e8s s\u00e9curis\u00e9 sont essentielles au maintien d&rsquo;une solide s\u00e9curit\u00e9 des syst\u00e8mes. L&rsquo;un des aspects cl\u00e9s de cette gestion sur <a href=\"https:\/\/www.ninjaone.com\/fr\/plateforme-de-gestion-de-terminaux\/gestion-des-terminaux-mac\" target=\"_blank\" rel=\"noopener\">macOS<\/a> est l&rsquo;utilisation de jetons s\u00e9curis\u00e9s. Les <strong>jetons s\u00e9curis\u00e9s<\/strong> sont essentiels pour diverses fonctions de s\u00e9curit\u00e9, notamment l&rsquo;activation de FileVault et l&rsquo;ex\u00e9cution de certaines t\u00e2ches administratives.<\/p>\n<p>Ce billet de blog se penche sur un script qui automatise le processus d&rsquo;octroi d&rsquo;un acc\u00e8s s\u00e9curis\u00e9 par jeton aux comptes d&rsquo;utilisateurs sur macOS, en expliquant son importance, sa fonctionnalit\u00e9 et ses cas d&rsquo;utilisation pour les professionnels de l&rsquo;informatique et les <a href=\"https:\/\/www.ninjaone.com\/fr\/quest-ce-quun-msp\" target=\"_blank\" rel=\"noopener\">fournisseurs de services g\u00e9r\u00e9s (MSP).<\/a><\/p>\n<h2>Contexte<\/h2>\n<p>Les jetons s\u00e9curis\u00e9s sont une fonctionnalit\u00e9 de s\u00e9curit\u00e9 de macOS qui fournit des mesures d&rsquo;authentification suppl\u00e9mentaires, en particulier lorsqu&rsquo;il s&rsquo;agit du chiffrement FileVault. Pour les professionnels de l&rsquo;informatique et les MSP, la gestion de ces jetons est essentielle pour maintenir des environnements s\u00e9curis\u00e9s sur de nombreux appareils.<\/p>\n<p>Le script fourni simplifie le processus d&rsquo;octroi d&rsquo;un acc\u00e8s par jeton s\u00e9curis\u00e9 \u00e0 un compte d&rsquo;utilisateur, et m\u00eame la cr\u00e9ation du compte s&rsquo;il n&rsquo;existe pas encore. Cette automatisation est particuli\u00e8rement utile dans les environnements \u00e0 grande \u00e9chelle o\u00f9 la configuration manuelle serait peu pratique et prendrait beaucoup de temps.<\/p>\n<h2>Le script<\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">#!\/usr\/bin\/env bash\r\n# Description: Grants secure token access to Service Account. Account will be created if it doesn't exist. Service Accounts will not show up at the desktop login.\r\n# Release Notes: Initial Release\r\n#\r\n# Custom Fields:\r\n#  New Account Password Custom Field: A secure custom field that stores the password for the new user account.\r\n#  Optional Authentication Account Username Custom Field: A secure custom field that stores the username of the admin account that has secure token already on the device.\r\n#\r\n# Parameters:\r\n#  username: Username to grant secure token access to\r\n#  password: Password of user to grant secure token access to\r\n#  adminuser: (Optional) Secure token Admin username - leave blank to prompt local user\r\n#  adminpassword: (Optional) Secure token Admin password - leave blank to prompt local user\r\n#\r\n# Usage: .\/Create-SecureTokenAccount.sh &lt;-u|--username &lt;arg&gt;&gt; &lt;-p|--password &lt;arg&gt;&gt; [-a|--adminuser &lt;arg&gt;] [-d|--adminpassword &lt;arg&gt;]\r\n# &lt;&gt; are required\r\n# [] are optional\r\n# Example: .\/Create-SecureTokenAccount.sh --username test --password Password1 --adminuser admin --adminpassword Password2\r\n#\r\n# Notes:\r\n# By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https:\/\/www.ninjaone.com\/terms-of-use.\r\n# Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. \r\n# Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. \r\n# Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. \r\n# Warranty Disclaimer: The script is provided \u201cas is\u201d and \u201cas available\u201d, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. \r\n# Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. \r\n# Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. \r\n# EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).\r\n#\r\n#\r\n\r\ndie() {\r\n    local _ret=\"${2:-1}\"\r\n    test \"${_PRINT_HELP:-no}\" = yes &amp;&amp; print_help &gt;&amp;2\r\n    echo \"$1\" &gt;&amp;2\r\n    exit \"${_ret}\"\r\n}\r\n\r\nbegins_with_short_option() {\r\n    local first_option all_short_options='upadvh'\r\n    first_option=\"${1:0:1}\"\r\n    test \"$all_short_options\" = \"${all_short_options\/$first_option\/}\" &amp;&amp; return 1 || return 0\r\n}\r\n\r\nGetCustomField() {\r\n    customfieldName=$1\r\n    dataPath=$(printenv | grep -i NINJA_DATA_PATH | awk -F = '{print $2}')\r\n    value=\"\"\r\n    if [ -e \"${dataPath}\/ninjarmm-cli\" ]; then\r\n        value=$(\"${dataPath}\"\/ninjarmm-cli get \"$customfieldName\")\r\n    else\r\n        value=$(\/Applications\/NinjaRMMAgent\/programdata\/ninjarmm-cli get \"$customfieldName\")\r\n    fi\r\n    if [[ \"${value}\" == *\"Unable to find the specified field\"* ]]; then\r\n        echo \"\"\r\n        return 1\r\n    else\r\n        echo \"$value\"\r\n    fi\r\n}\r\n\r\n# THE DEFAULTS INITIALIZATION - OPTIONALS\r\n_arg_username=\r\n_arg_password=\r\n_arg_adminuser=\r\n_arg_adminpassword=\r\n\r\nprint_help() {\r\n    printf '%s\\n' \"Grants secure token access to an account. Account will be created if it doesn't exist.\"\r\n    printf 'Usage: %s &lt;-u|--username &lt;arg&gt;&gt; &lt;-p|--password &lt;arg&gt;&gt; [-a|--adminuser &lt;arg&gt;] [-d|--adminpassword &lt;arg&gt;] [-h|--help]\\n' \"$0\"\r\n    printf '\\t%s\\n' \"-u, --username: Username to grant secure token access to. (Required)\"\r\n    printf '\\t%s\\n' \"-p, --password: Password of user to grant secure token access to. (Required)\"\r\n    printf '\\t%s\\n' \"-a, --adminuser: (Optional) Secure token Admin username. (Leave blank to prompt local user)\"\r\n    printf '\\t%s\\n' \"-d, --adminpassword: (Optional) Secure token Admin password. (Leave blank to prompt local user)\"\r\n    printf '\\t%s\\n' \"-h, --help: Prints help\"\r\n}\r\n\r\nparse_commandline() {\r\n    while test $# -gt 0; do\r\n        _key=\"$1\"\r\n        case \"$_key\" in\r\n        -u | --username)\r\n            test $# -lt 2 &amp;&amp; die \"Missing value for the optional argument '$_key'.\" 1\r\n            _arg_username=\"$2\"\r\n            shift\r\n            ;;\r\n        --username=*)\r\n            _arg_username=\"${_key##--username=}\"\r\n            ;;\r\n        -u*)\r\n            _arg_username=\"${_key##-u}\"\r\n            ;;\r\n        -p | --password)\r\n            test $# -lt 2 &amp;&amp; die \"Missing value for the optional argument '$_key'.\" 1\r\n            _arg_password=\"$2\"\r\n            shift\r\n            ;;\r\n        --password=*)\r\n            _arg_password=\"${_key##--password=}\"\r\n            ;;\r\n        -p*)\r\n            _arg_password=\"${_key##-p}\"\r\n            ;;\r\n        -a | --adminuser)\r\n            test $# -lt 2 &amp;&amp; die \"Missing value for the optional argument '$_key'.\" 1\r\n            _arg_adminuser=\"$2\"\r\n            shift\r\n            ;;\r\n        --adminuser=*)\r\n            _arg_adminuser=\"${_key##--adminuser=}\"\r\n            ;;\r\n        -a*)\r\n            _arg_adminuser=\"${_key##-a}\"\r\n            ;;\r\n        -d | --adminpassword)\r\n            test $# -lt 2 &amp;&amp; die \"Missing value for the optional argument '$_key'.\" 1\r\n            _arg_adminpassword=\"$2\"\r\n            shift\r\n            ;;\r\n        --adminpassword=*)\r\n            _arg_adminpassword=\"${_key##--adminpassword=}\"\r\n            ;;\r\n        -d*)\r\n            _arg_adminpassword=\"${_key##-d}\"\r\n            ;;\r\n        -h | --help)\r\n            print_help\r\n            exit 0\r\n            ;;\r\n        -h*)\r\n            print_help\r\n            exit 0\r\n            ;;\r\n        *)\r\n            _PRINT_HELP=yes die \"FATAL ERROR: Got an unexpected argument '$1'\" 1\r\n            ;;\r\n        esac\r\n        shift\r\n    done\r\n}\r\n\r\nparse_commandline \"$@\"\r\n\r\n# Get Script Variables and override parameters\r\nif [[ -n $(printenv | grep -i newAccountUsername | awk -F = '{print $2}') ]]; then\r\n    _arg_username=$(printenv | grep -i newAccountUsername | awk -F = '{print $2}')\r\nfi\r\nif [[ -n $(printenv | grep -i newAccountPasswordCustomField | awk -F = '{print $2}') ]]; then\r\n    # Get the password from the custom field\r\n    if ! _arg_password=$(GetCustomField \"$(printenv | grep -i newAccountPasswordCustomField | awk -F = '{print $2}')\"); then\r\n        # Exit if the custom field is empty\r\n        if [[ -z \"${_arg_password}\" ]]; then\r\n            echo \"[Error] Custom Field ($(printenv | grep -i newAccountPasswordCustomField | awk -F = '{print $2}')) was not found. Please check that the custom field contains a password.\"\r\n            exit 1\r\n        fi\r\n        # Exit if the custom field is not found\r\n        echo \"[Error] Custom Field ($(printenv | grep -i newAccountPasswordCustomField | awk -F = '{print $2}')) was not found. Please check the custom field name.\"\r\n        exit 1\r\n    fi\r\nfi\r\nif [[ -n $(printenv | grep -i optionalAuthenticationAccountUsername | awk -F = '{print $2}') ]]; then\r\n    _arg_adminuser=$(printenv | grep -i optionalAuthenticationAccountUsername | awk -F = '{print $2}')\r\nfi\r\nif [[ -n $(printenv | grep -i optionalAuthenticationAccountPasswordCustomField | awk -F = '{print $2}') ]]; then\r\n    # Get the password from the custom field\r\n    if ! _arg_adminpassword=$(GetCustomField \"$(printenv | grep -i optionalAuthenticationAccountPasswordCustomField | awk -F = '{print $2}')\"); then\r\n        # Exit if the custom field is empty\r\n        if [[ -z \"${_arg_adminpassword}\" ]]; then\r\n            echo \"[Error] Custom Field ($(printenv | grep -i optionalAuthenticationAccountPasswordCustomField | awk -F = '{print $2}')) was not found. Please check that the custom field contains a password.\"\r\n            exit 1\r\n        fi\r\n        # Exit if the custom field is not found\r\n        echo \"[Error] Custom Field ($(printenv | grep -i optionalAuthenticationAccountPasswordCustomField | awk -F = '{print $2}')) was not found. Please check the custom field name.\"\r\n        exit 1\r\n    fi\r\nfi\r\n\r\n# If both username and password are empty\r\nif [[ -z \"${_arg_username}\" ]]; then\r\n    echo \"[Error] User Name is required.\"\r\n    if [[ -z \"${_arg_password}\" ]]; then\r\n        echo \"[Error] Password is required, please set the password in the secure custom field.\"\r\n    fi\r\n    exit 1\r\nfi\r\n\r\n# If username is not empty and password is empty\r\nif [[ -n \"${_arg_username}\" ]] &amp;&amp; [[ -z \"${_arg_password}\" ]]; then\r\n    echo \"[Error] Password is required, please set the password in the secure custom field.\"\r\n    exit 1\r\nfi\r\n\r\n# If username is not empty and password is empty\r\nif [[ -n \"${_arg_adminuser}\" ]] &amp;&amp; [[ -z \"${_arg_adminpassword}\" ]]; then\r\n    echo \"[Error] Password is required, please set the password in the secure custom field.\"\r\n    exit 1\r\nfi\r\n\r\nUserAccount=$_arg_username\r\nUserPass=$_arg_password\r\nUserFullName=\"ServiceAccount\"\r\nsecureTokenAdmin=$_arg_adminuser\r\nsecureTokenAdminPass=$_arg_adminpassword\r\nmacOSVersionMajor=$(sw_vers -productVersion | awk -F . '{print $1}')\r\nmacOSVersionMinor=$(sw_vers -productVersion | awk -F . '{print $2}')\r\nmacOSVersionBuild=$(sw_vers -productVersion | awk -F . '{print $3}')\r\n\r\n# Check script prerequisites.\r\n\r\n# Exits if macOS version predates the use of SecureToken functionality.\r\n# Exit if macOS &lt; 10.\r\nif [ \"$macOSVersionMajor\" -lt 10 ]; then\r\n    echo \"[Warn] macOS version ${macOSVersionMajor} predates the use of SecureToken functionality, no action required.\"\r\n    exit 0\r\n# Exit if macOS 10 &lt; 10.13.4.\r\nelif [ \"$macOSVersionMajor\" -eq 10 ]; then\r\n    if [ \"$macOSVersionMinor\" -lt 13 ]; then\r\n        echo \"[Warn] macOS version ${macOSVersionMajor}.${macOSVersionMinor} predates the use of SecureToken functionality, no action required.\"\r\n        exit 0\r\n    elif [ \"$macOSVersionMinor\" -eq 13 ] &amp;&amp; [ \"$macOSVersionBuild\" -lt 4 ]; then\r\n        echo \"[Warn] macOS version ${macOSVersionMajor}.${macOSVersionMinor}.${macOSVersionBuild} predates the use of SecureToken functionality, no action required.\"\r\n        exit 0\r\n    fi\r\nfi\r\n\r\n# Exits if $UserAccount already has SecureToken.\r\nif sysadminctl -secureTokenStatus \"$UserAccount\" 2&gt;&amp;1 | grep -q \"ENABLED\"; then\r\n    echo \"${UserAccount} already has a SecureToken. No action required.\"\r\n    exit 0\r\nfi\r\n\r\n# Exits with error if $secureTokenAdmin does not have SecureToken\r\n# (unless running macOS 10.15 or later, in which case exit with explanation).\r\n\r\nif [ -n \"$secureTokenAdmin\" ]; then\r\n    if sysadminctl -secureTokenStatus \"$secureTokenAdmin\" 2&gt;&amp;1 | grep -q \"DISABLED\"; then\r\n        if [ \"$macOSVersionMajor\" -gt 10 ] || [ \"$macOSVersionMajor\" -eq 10 ] &amp;&amp; [ \"$macOSVersionMinor\" -gt 14 ]; then\r\n            echo \"[Warn] Neither ${secureTokenAdmin} nor ${UserAccount} has a SecureToken, but in macOS 10.15 or later, a SecureToken is automatically granted to the first user to enable FileVault (if no other users have SecureToken), so this may not be necessary. Try enabling FileVault for ${UserAccount}. If that fails, see what other user on the system has SecureToken, and use its credentials to grant SecureToken to ${UserAccount}.\"\r\n            exit 0\r\n        else\r\n            echo \"[Error] ${secureTokenAdmin} does not have a valid SecureToken, unable to proceed. Please update to another admin user with SecureToken.\"\r\n            exit 1\r\n        fi\r\n    else\r\n        echo \"[Info] Verified ${secureTokenAdmin} has SecureToken.\"\r\n    fi\r\nfi\r\n\r\n# Creates a new user account.\r\ncreate_user() {\r\n    # Check if the user account exists\r\n    if id \"$1\" &gt;\/dev\/null 2&gt;&amp;1; then\r\n        echo \"[Info] Found existing user account $1.\"\r\n    else\r\n        echo \"[Warn] Account $1 doesn't exist. Attempting to create...\"\r\n        # Create a new user\r\n        dscl . -create \/Users\/\"$1\"\r\n        # Add the display name of the User\r\n        dscl . -create \/Users\/\"$1\" RealName \"$3\"\r\n        # Replace password_here with your desired password to set the password for this user\r\n        dscl . -passwd \/Users\/\"$1\" \"$2\"\r\n        # Set the Unique ID for the New user. Replace with a number that is not already taken.\r\n        LastID=$(dscl . -list \/Users UniqueID | sort -nr -k 2 | head -1 | grep -oE '[0-9]+$')\r\n        NextID=$((LastID + 1))\r\n        dscl . -create \/Users\/\"$1\" UniqueID $NextID\r\n        # Set the group ID for the user\r\n        dscl . -create \/Users\/\"$1\" PrimaryGroupID 20\r\n        # Append the User with admin privilege. If this line is not included the user will be set as standard user.\r\n        # sudo dscl . -append \/Groups\/admin GroupMembership \"$1\"\r\n        echo \"[Info] Account $1 created.\"\r\n    fi\r\n}\r\n# Adds SecureToken to target user.\r\nsecuretoken_add() {\r\n    if [ -n \"$3\" ]; then\r\n        # Admin user name was given. Do not prompt the user.\r\n        sysadminctl \\\r\n            -secureTokenOn \"$1\" \\\r\n            -password \"$2\" \\\r\n            -adminUser \"$3\" \\\r\n            -adminPassword \"$4\"\r\n    else\r\n        # Admin user name was not given. Prompt the local user.\r\n        currentUser=$(stat -f%Su \/dev\/console)\r\n        currentUserUID=$(id -u \"$currentUser\")\r\n        launchctl asuser \"$currentUserUID\" sudo -iu \"$currentUser\" \\\r\n            sysadminctl \\\r\n            -secureTokenOn \"$1\" \\\r\n            -password \"$2\" \\\r\n            interactive\r\n    fi\r\n    # Verify successful SecureToken add.\r\n    secureTokenCheck=$(sysadminctl -secureTokenStatus \"${1}\" 2&gt;&amp;1)\r\n    if echo \"$secureTokenCheck\" | grep -q \"DISABLED\"; then\r\n        echo \"[Error] Failed to add SecureToken to ${1}. Please rerun policy; if issue persists, a manual SecureToken add will be required to continue.\"\r\n        exit 126\r\n    elif echo \"$secureTokenCheck\" | grep -q \"ENABLED\"; then\r\n        echo \"[Info] Successfully added SecureToken to ${1}.\"\r\n    else\r\n        echo \"[Error] Unexpected result, unable to proceed. Please rerun policy; if issue persists, a manual SecureToken add will be required to continue.\"\r\n        exit 1\r\n    fi\r\n}\r\n\r\n# Create new user if it doesn't already exist.\r\ncreate_user \"$UserAccount\" \"$UserPass\" \"$UserFullName\"\r\n# Add SecureToken using provided credentials.\r\nsecuretoken_add \"$UserAccount\" \"$UserPass\" \"$secureTokenAdmin\" \"$secureTokenAdminPass\"\r\n<\/pre>\n<p>&nbsp;<\/p>\n\n<div class=\"blog-cta-new blog-cta-style-1\"><div class=\"cta-left\"><h2><\/h2><p><\/p><\/div><div class=\"cta-right\"><a class=\"button\" href=\"\"><\/a><\/div><\/div>\n<h2>Description d\u00e9taill\u00e9e<\/h2>\n<h3>Vue d&rsquo;ensemble du script<\/h3>\n<p>Le script en question est con\u00e7u pour accorder un acc\u00e8s s\u00e9curis\u00e9 \u00e0 un compte d&rsquo;utilisateur sur macOS, avec la possibilit\u00e9 de cr\u00e9er le compte s&rsquo;il n&rsquo;existe pas encore. Voici une description d\u00e9taill\u00e9e, \u00e9tape par \u00e9tape, du fonctionnement du script :<\/p>\n<ol>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Analyse des param\u00e8tres<\/strong>: Le script commence par d\u00e9finir une fonction die pour g\u00e9rer les erreurs et une fonction print_help pour afficher les informations d&rsquo;utilisation. Il analyse ensuite les arguments de la ligne de commande pour extraire le nom d&rsquo;utilisateur, le mot de passe et, \u00e9ventuellement, le nom d&rsquo;utilisateur et le mot de passe de l&rsquo;administrateur.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Variables d&rsquo;environnement<\/strong>: Il v\u00e9rifie la pr\u00e9sence de variables d&rsquo;environnement susceptibles de remplacer les param\u00e8tres de la ligne de commande. Si des variables d&rsquo;environnement sp\u00e9cifiques sont d\u00e9finies, le script r\u00e9cup\u00e8re leurs valeurs pour les utiliser comme param\u00e8tres.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>v\u00e9rification de la version de macOS<\/strong>: Le script v\u00e9rifie la version de macOS pour s&rsquo;assurer qu&rsquo;elle prend en charge la fonctionnalit\u00e9 des jetons s\u00e9curis\u00e9s. Il s&rsquo;arr\u00eate si la version de macOS est trop ancienne pour utiliser des jetons s\u00e9curis\u00e9s.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>V\u00e9rification de l&rsquo;\u00e9tat du jeton s\u00e9curis\u00e9<\/strong>: Il v\u00e9rifie si le compte d&rsquo;utilisateur sp\u00e9cifi\u00e9 dispose d\u00e9j\u00e0 d&rsquo;un jeton s\u00e9curis\u00e9. Si le compte d&rsquo;utilisateur poss\u00e8de d\u00e9j\u00e0 un jeton s\u00e9curis\u00e9, le script se termine, car aucune autre action n&rsquo;est n\u00e9cessaire.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>V\u00e9rification du jeton de l&rsquo;utilisateur Admin :<\/strong> Si un nom d&rsquo;utilisateur administrateur est fourni, le script v\u00e9rifie que cet utilisateur dispose d&rsquo;un jeton s\u00e9curis\u00e9. Si ce n&rsquo;est pas le cas, il se termine par une erreur, sauf si la version de macOS est la 10.15 ou une version ult\u00e9rieure, o\u00f9 il est recommand\u00e9 d&rsquo;utiliser un autre processus.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Cr\u00e9ation d&rsquo;un compte utilisateur<\/strong>: Le script comprend une fonction permettant de cr\u00e9er un nouveau compte utilisateur s&rsquo;il n&rsquo;existe pas d\u00e9j\u00e0. Il attribue un identifiant unique, d\u00e9finit un mot de passe et configure d&rsquo;autres attributs n\u00e9cessaires.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Octroi d&rsquo;un jeton s\u00e9curis\u00e9<\/strong>: Le script tente d&rsquo;accorder un jeton s\u00e9curis\u00e9 au compte d&rsquo;utilisateur sp\u00e9cifi\u00e9 \u00e0 l&rsquo;aide des informations d&rsquo;identification fournies. Si le nom d&rsquo;utilisateur de l&rsquo;administrateur est fourni, il utilise ces informations d&rsquo;identification ; sinon, il demande \u00e0 l&rsquo;utilisateur local de s&rsquo;authentifier.<\/li>\n<\/ol>\n<h2>Cas d&rsquo;utilisation potentiels<\/h2>\n<p>Imaginez un professionnel de l&rsquo;informatique nomm\u00e9 Alex qui g\u00e8re un parc d&rsquo;appareils macOS pour le compte d&rsquo;une grande entreprise. Alex doit s&rsquo;assurer que tous les comptes utilisateurs sur ces appareils disposent de jetons s\u00e9curis\u00e9s pour le chiffrement FileVault. La v\u00e9rification et l&rsquo;octroi manuels de jetons s\u00e9curis\u00e9s sur chaque appareil prendraient \u00e9norm\u00e9ment de temps.<\/p>\n<p>En d\u00e9ployant ce script \u00e0 l&rsquo;aide d&rsquo;un outil de gestion centralis\u00e9, Alex peut automatiser le processus et s&rsquo;assurer que tous les comptes d&rsquo;utilisateurs de l&rsquo;entreprise disposent des jetons s\u00e9curis\u00e9s n\u00e9cessaires, ce qui permet de maintenir la conformit\u00e9 avec les politiques de s\u00e9curit\u00e9 de l&rsquo;entreprise.<\/p>\n<h2>Comparaisons<\/h2>\n<p>Les autres m\u00e9thodes d&rsquo;octroi de jetons s\u00e9curis\u00e9s impliquent g\u00e9n\u00e9ralement une intervention manuelle dans les pr\u00e9f\u00e9rences syst\u00e8me de macOS ou l&rsquo;utilisation de commandes sysadminctl pour chaque utilisateur. Bien que ces m\u00e9thodes fonctionnent, elles ne permettent pas de g\u00e9rer un grand nombre d&rsquo;appareils. Le script automatise ces \u00e9tapes, ce qui les rend plus efficaces et r\u00e9duit la probabilit\u00e9 d&rsquo;une erreur humaine.<\/p>\n<h2>FAQ<\/h2>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\">\n<h3>Que se passe-t-il si le compte d&rsquo;utilisateur existe d\u00e9j\u00e0 ?<\/h3>\n<p>Le script v\u00e9rifie l&rsquo;existence du compte d&rsquo;utilisateur et saute l&rsquo;\u00e9tape de cr\u00e9ation s&rsquo;il existe d\u00e9j\u00e0.<\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"1\">\n<h3>Puis-je utiliser ce script sur des versions plus anciennes de macOS ?<\/h3>\n<p>Le script inclut des v\u00e9rifications pour s&rsquo;assurer qu&rsquo;il ne s&rsquo;ex\u00e9cute que sur les versions de macOS qui prennent en charge les jetons s\u00e9curis\u00e9s, \u00e0 savoir macOS 10.13.4 et les versions ult\u00e9rieures.<\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"3\" data-aria-level=\"1\">\n<h3>Que se passe-t-il si l&rsquo;utilisateur administrateur n&rsquo;a pas de jeton s\u00e9curis\u00e9 ?<\/h3>\n<p>Le script se termine par une erreur si l&rsquo;utilisateur admin n&rsquo;a pas de jeton s\u00e9curis\u00e9, sauf sous macOS 10.15 ou plus r\u00e9cent, o\u00f9 un processus alternatif est sugg\u00e9r\u00e9.<\/li>\n<\/ul>\n<h2>Implications<\/h2>\n<p>L&rsquo;attribution de jetons s\u00e9curis\u00e9s aux comptes d&rsquo;utilisateurs est essentielle pour activer FileVault et effectuer des t\u00e2ches administratives en toute s\u00e9curit\u00e9. L&rsquo;automatisation de ce processus permet de maintenir des normes de s\u00e9curit\u00e9 \u00e9lev\u00e9es, de garantir la conformit\u00e9 avec les politiques de l&rsquo;entreprise et de r\u00e9duire le risque d&rsquo;acc\u00e8s non autoris\u00e9.<\/p>\n<h2>Recommandations<\/h2>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Mettre r\u00e9guli\u00e8rement \u00e0 jour le script<\/strong>: Veiller \u00e0 ce que le script soit tenu \u00e0 jour des derni\u00e8res modifications apport\u00e9es \u00e0 macOS et des pratiques de s\u00e9curit\u00e9.<\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"1\"><strong>Champs personnalis\u00e9s s\u00e9curis\u00e9s<\/strong>: Utilisez des champs personnalis\u00e9s s\u00e9curis\u00e9s pour stocker des informations sensibles telles que les mots de passe.<\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"3\" data-aria-level=\"1\"><strong>Gestion centralis\u00e9e<\/strong>: D\u00e9ployer le script \u00e0 l&rsquo;aide d&rsquo;un outil de gestion centralis\u00e9 afin de garantir la coh\u00e9rence entre tous les appareils.<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>L&rsquo;automatisation du processus d&rsquo;octroi de jetons s\u00e9curis\u00e9s \u00e0 l&rsquo;aide de ce script am\u00e9liore consid\u00e9rablement <a href=\"https:\/\/www.ninjaone.com\/fr\/efficacite\" target=\"_blank\" rel=\"noopener\">l&rsquo;efficacit\u00e9<\/a> et la s\u00e9curit\u00e9 de la gestion des appareils macOS. Pour les professionnels de l&rsquo;informatique et les MSP, ce script est un outil pr\u00e9cieux pour maintenir des pratiques de s\u00e9curit\u00e9 solides.<\/p>\n<p>NinjaOne propose des solutions compl\u00e8tes qui s&rsquo;int\u00e8grent parfaitement \u00e0 ces scripts, offrant ainsi une approche compl\u00e8te de la gestion et de la s\u00e9curit\u00e9 informatique. En tirant parti de NinjaOne, vous pouvez optimiser vos flux de travail et vous assurer que tous vos appareils sont s\u00e9curis\u00e9s et conformes aux politiques de votre entreprise.<\/p>\n","protected":false},"author":35,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","_lmt_disableupdate":"","_lmt_disable":""},"operating_system":[4210],"use_cases":[4281],"class_list":["post-353666","script_hub","type-script_hub","status-publish","hentry","script_hub_category-macos"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.ninjaone.com\/fr\/wp-json\/wp\/v2\/script_hub\/353666","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ninjaone.com\/fr\/wp-json\/wp\/v2\/script_hub"}],"about":[{"href":"https:\/\/www.ninjaone.com\/fr\/wp-json\/wp\/v2\/types\/script_hub"}],"author":[{"embeddable":true,"href":"https:\/\/www.ninjaone.com\/fr\/wp-json\/wp\/v2\/users\/35"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ninjaone.com\/fr\/wp-json\/wp\/v2\/comments?post=353666"}],"wp:attachment":[{"href":"https:\/\/www.ninjaone.com\/fr\/wp-json\/wp\/v2\/media?parent=353666"}],"wp:term":[{"taxonomy":"script_hub_category","embeddable":true,"href":"https:\/\/www.ninjaone.com\/fr\/wp-json\/wp\/v2\/operating_system?post=353666"},{"taxonomy":"use_cases","embeddable":true,"href":"https:\/\/www.ninjaone.com\/fr\/wp-json\/wp\/v2\/use_cases?post=353666"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}