{"id":353739,"date":"2024-08-26T08:18:23","date_gmt":"2024-08-26T08:18:23","guid":{"rendered":"https:\/\/www.ninjaone.com\/script-hub\/creare-token-sicuri-in-macos\/"},"modified":"2024-10-13T19:09:45","modified_gmt":"2024-10-13T19:09:45","slug":"creare-token-sicuri-in-macos","status":"publish","type":"script_hub","link":"https:\/\/www.ninjaone.com\/it\/script-hub\/creare-token-sicuri-in-macos\/","title":{"rendered":"Script per creare token sicuri in macOS: una guida per i professionisti IT"},"content":{"rendered":"<p>Nell&#8217;attuale panorama IT, la gestione degli account utente e la garanzia di un accesso sicuro sono fondamentali per mantenere una solida sicurezza del sistema. Uno degli aspetti chiave di questa gestione su <a href=\"https:\/\/www.ninjaone.com\/it\/gestione-endpoint\/gestione-dei-mac\/\" target=\"_blank\" rel=\"noopener\">macOS<\/a> \u00e8 l&#8217;uso di token sicuri. I <strong>token sicuri<\/strong> sono fondamentali per varie funzioni di sicurezza, tra cui l&#8217;abilitazione di FileVault e l&#8217;esecuzione di alcune attivit\u00e0 amministrative.<\/p>\n<p>In questo articolo analizzeremo uno script che automatizza il processo di concessione dell&#8217;accesso sicuro con token agli account utente su macOS, spiegandone l&#8217;importanza, le funzionalit\u00e0 e i casi d&#8217;uso per i professionisti IT e i <a href=\"https:\/\/www.ninjaone.com\/it\/cos-e-un-msp\" target=\"_blank\" rel=\"noopener\">Managed Service Provider (MSP)<\/a>.<\/p>\n<h2>Background<\/h2>\n<p>I token sicuri sono una funzione di sicurezza di macOS che fornisce ulteriori misure di autenticazione, in particolare per quanto riguarda la crittografia FileVault. Per i professionisti IT e gli MSP, la gestione di questi token \u00e8 essenziale per mantenere ambienti sicuri su numerosi dispositivi.<\/p>\n<p>Lo script fornito semplifica il processo di concessione dell&#8217;accesso con token sicuro a un account utente, creando persino l&#8217;account se non esiste gi\u00e0. Questa automazione \u00e8 particolarmente vantaggiosa in ambienti su larga scala, dove la configurazione manuale sarebbe poco pratica e dispendiosa in termini di tempo.<\/p>\n<h2>Lo script per creare token sicuri in macOS<\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">#!\/usr\/bin\/env bash\r\n# Description: Grants secure token access to Service Account. Account will be created if it doesn't exist. Service Accounts will not show up at the desktop login.\r\n# Release Notes: Initial Release\r\n#\r\n# Custom Fields:\r\n#  New Account Password Custom Field: A secure custom field that stores the password for the new user account.\r\n#  Optional Authentication Account Username Custom Field: A secure custom field that stores the username of the admin account that has secure token already on the device.\r\n#\r\n# Parameters:\r\n#  username: Username to grant secure token access to\r\n#  password: Password of user to grant secure token access to\r\n#  adminuser: (Optional) Secure token Admin username - leave blank to prompt local user\r\n#  adminpassword: (Optional) Secure token Admin password - leave blank to prompt local user\r\n#\r\n# Usage: .\/Create-SecureTokenAccount.sh &lt;-u|--username &lt;arg&gt;&gt; &lt;-p|--password &lt;arg&gt;&gt; [-a|--adminuser &lt;arg&gt;] [-d|--adminpassword &lt;arg&gt;]\r\n# &lt;&gt; are required\r\n# [] are optional\r\n# Example: .\/Create-SecureTokenAccount.sh --username test --password Password1 --adminuser admin --adminpassword Password2\r\n#\r\n# Notes:\r\n# By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https:\/\/www.ninjaone.com\/terms-of-use.\r\n# Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. \r\n# Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. \r\n# Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. \r\n# Warranty Disclaimer: The script is provided \u201cas is\u201d and \u201cas available\u201d, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. \r\n# Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. \r\n# Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. \r\n# EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).\r\n#\r\n#\r\n\r\ndie() {\r\n    local _ret=\"${2:-1}\"\r\n    test \"${_PRINT_HELP:-no}\" = yes &amp;&amp; print_help &gt;&amp;2\r\n    echo \"$1\" &gt;&amp;2\r\n    exit \"${_ret}\"\r\n}\r\n\r\nbegins_with_short_option() {\r\n    local first_option all_short_options='upadvh'\r\n    first_option=\"${1:0:1}\"\r\n    test \"$all_short_options\" = \"${all_short_options\/$first_option\/}\" &amp;&amp; return 1 || return 0\r\n}\r\n\r\nGetCustomField() {\r\n    customfieldName=$1\r\n    dataPath=$(printenv | grep -i NINJA_DATA_PATH | awk -F = '{print $2}')\r\n    value=\"\"\r\n    if [ -e \"${dataPath}\/ninjarmm-cli\" ]; then\r\n        value=$(\"${dataPath}\"\/ninjarmm-cli get \"$customfieldName\")\r\n    else\r\n        value=$(\/Applications\/NinjaRMMAgent\/programdata\/ninjarmm-cli get \"$customfieldName\")\r\n    fi\r\n    if [[ \"${value}\" == *\"Unable to find the specified field\"* ]]; then\r\n        echo \"\"\r\n        return 1\r\n    else\r\n        echo \"$value\"\r\n    fi\r\n}\r\n\r\n# THE DEFAULTS INITIALIZATION - OPTIONALS\r\n_arg_username=\r\n_arg_password=\r\n_arg_adminuser=\r\n_arg_adminpassword=\r\n\r\nprint_help() {\r\n    printf '%s\\n' \"Grants secure token access to an account. Account will be created if it doesn't exist.\"\r\n    printf 'Usage: %s &lt;-u|--username &lt;arg&gt;&gt; &lt;-p|--password &lt;arg&gt;&gt; [-a|--adminuser &lt;arg&gt;] [-d|--adminpassword &lt;arg&gt;] [-h|--help]\\n' \"$0\"\r\n    printf '\\t%s\\n' \"-u, --username: Username to grant secure token access to. (Required)\"\r\n    printf '\\t%s\\n' \"-p, --password: Password of user to grant secure token access to. (Required)\"\r\n    printf '\\t%s\\n' \"-a, --adminuser: (Optional) Secure token Admin username. (Leave blank to prompt local user)\"\r\n    printf '\\t%s\\n' \"-d, --adminpassword: (Optional) Secure token Admin password. (Leave blank to prompt local user)\"\r\n    printf '\\t%s\\n' \"-h, --help: Prints help\"\r\n}\r\n\r\nparse_commandline() {\r\n    while test $# -gt 0; do\r\n        _key=\"$1\"\r\n        case \"$_key\" in\r\n        -u | --username)\r\n            test $# -lt 2 &amp;&amp; die \"Missing value for the optional argument '$_key'.\" 1\r\n            _arg_username=\"$2\"\r\n            shift\r\n            ;;\r\n        --username=*)\r\n            _arg_username=\"${_key##--username=}\"\r\n            ;;\r\n        -u*)\r\n            _arg_username=\"${_key##-u}\"\r\n            ;;\r\n        -p | --password)\r\n            test $# -lt 2 &amp;&amp; die \"Missing value for the optional argument '$_key'.\" 1\r\n            _arg_password=\"$2\"\r\n            shift\r\n            ;;\r\n        --password=*)\r\n            _arg_password=\"${_key##--password=}\"\r\n            ;;\r\n        -p*)\r\n            _arg_password=\"${_key##-p}\"\r\n            ;;\r\n        -a | --adminuser)\r\n            test $# -lt 2 &amp;&amp; die \"Missing value for the optional argument '$_key'.\" 1\r\n            _arg_adminuser=\"$2\"\r\n            shift\r\n            ;;\r\n        --adminuser=*)\r\n            _arg_adminuser=\"${_key##--adminuser=}\"\r\n            ;;\r\n        -a*)\r\n            _arg_adminuser=\"${_key##-a}\"\r\n            ;;\r\n        -d | --adminpassword)\r\n            test $# -lt 2 &amp;&amp; die \"Missing value for the optional argument '$_key'.\" 1\r\n            _arg_adminpassword=\"$2\"\r\n            shift\r\n            ;;\r\n        --adminpassword=*)\r\n            _arg_adminpassword=\"${_key##--adminpassword=}\"\r\n            ;;\r\n        -d*)\r\n            _arg_adminpassword=\"${_key##-d}\"\r\n            ;;\r\n        -h | --help)\r\n            print_help\r\n            exit 0\r\n            ;;\r\n        -h*)\r\n            print_help\r\n            exit 0\r\n            ;;\r\n        *)\r\n            _PRINT_HELP=yes die \"FATAL ERROR: Got an unexpected argument '$1'\" 1\r\n            ;;\r\n        esac\r\n        shift\r\n    done\r\n}\r\n\r\nparse_commandline \"$@\"\r\n\r\n# Get Script Variables and override parameters\r\nif [[ -n $(printenv | grep -i newAccountUsername | awk -F = '{print $2}') ]]; then\r\n    _arg_username=$(printenv | grep -i newAccountUsername | awk -F = '{print $2}')\r\nfi\r\nif [[ -n $(printenv | grep -i newAccountPasswordCustomField | awk -F = '{print $2}') ]]; then\r\n    # Get the password from the custom field\r\n    if ! _arg_password=$(GetCustomField \"$(printenv | grep -i newAccountPasswordCustomField | awk -F = '{print $2}')\"); then\r\n        # Exit if the custom field is empty\r\n        if [[ -z \"${_arg_password}\" ]]; then\r\n            echo \"[Error] Custom Field ($(printenv | grep -i newAccountPasswordCustomField | awk -F = '{print $2}')) was not found. Please check that the custom field contains a password.\"\r\n            exit 1\r\n        fi\r\n        # Exit if the custom field is not found\r\n        echo \"[Error] Custom Field ($(printenv | grep -i newAccountPasswordCustomField | awk -F = '{print $2}')) was not found. Please check the custom field name.\"\r\n        exit 1\r\n    fi\r\nfi\r\nif [[ -n $(printenv | grep -i optionalAuthenticationAccountUsername | awk -F = '{print $2}') ]]; then\r\n    _arg_adminuser=$(printenv | grep -i optionalAuthenticationAccountUsername | awk -F = '{print $2}')\r\nfi\r\nif [[ -n $(printenv | grep -i optionalAuthenticationAccountPasswordCustomField | awk -F = '{print $2}') ]]; then\r\n    # Get the password from the custom field\r\n    if ! _arg_adminpassword=$(GetCustomField \"$(printenv | grep -i optionalAuthenticationAccountPasswordCustomField | awk -F = '{print $2}')\"); then\r\n        # Exit if the custom field is empty\r\n        if [[ -z \"${_arg_adminpassword}\" ]]; then\r\n            echo \"[Error] Custom Field ($(printenv | grep -i optionalAuthenticationAccountPasswordCustomField | awk -F = '{print $2}')) was not found. Please check that the custom field contains a password.\"\r\n            exit 1\r\n        fi\r\n        # Exit if the custom field is not found\r\n        echo \"[Error] Custom Field ($(printenv | grep -i optionalAuthenticationAccountPasswordCustomField | awk -F = '{print $2}')) was not found. Please check the custom field name.\"\r\n        exit 1\r\n    fi\r\nfi\r\n\r\n# If both username and password are empty\r\nif [[ -z \"${_arg_username}\" ]]; then\r\n    echo \"[Error] User Name is required.\"\r\n    if [[ -z \"${_arg_password}\" ]]; then\r\n        echo \"[Error] Password is required, please set the password in the secure custom field.\"\r\n    fi\r\n    exit 1\r\nfi\r\n\r\n# If username is not empty and password is empty\r\nif [[ -n \"${_arg_username}\" ]] &amp;&amp; [[ -z \"${_arg_password}\" ]]; then\r\n    echo \"[Error] Password is required, please set the password in the secure custom field.\"\r\n    exit 1\r\nfi\r\n\r\n# If username is not empty and password is empty\r\nif [[ -n \"${_arg_adminuser}\" ]] &amp;&amp; [[ -z \"${_arg_adminpassword}\" ]]; then\r\n    echo \"[Error] Password is required, please set the password in the secure custom field.\"\r\n    exit 1\r\nfi\r\n\r\nUserAccount=$_arg_username\r\nUserPass=$_arg_password\r\nUserFullName=\"ServiceAccount\"\r\nsecureTokenAdmin=$_arg_adminuser\r\nsecureTokenAdminPass=$_arg_adminpassword\r\nmacOSVersionMajor=$(sw_vers -productVersion | awk -F . '{print $1}')\r\nmacOSVersionMinor=$(sw_vers -productVersion | awk -F . '{print $2}')\r\nmacOSVersionBuild=$(sw_vers -productVersion | awk -F . '{print $3}')\r\n\r\n# Check script prerequisites.\r\n\r\n# Exits if macOS version predates the use of SecureToken functionality.\r\n# Exit if macOS &lt; 10.\r\nif [ \"$macOSVersionMajor\" -lt 10 ]; then\r\n    echo \"[Warn] macOS version ${macOSVersionMajor} predates the use of SecureToken functionality, no action required.\"\r\n    exit 0\r\n# Exit if macOS 10 &lt; 10.13.4.\r\nelif [ \"$macOSVersionMajor\" -eq 10 ]; then\r\n    if [ \"$macOSVersionMinor\" -lt 13 ]; then\r\n        echo \"[Warn] macOS version ${macOSVersionMajor}.${macOSVersionMinor} predates the use of SecureToken functionality, no action required.\"\r\n        exit 0\r\n    elif [ \"$macOSVersionMinor\" -eq 13 ] &amp;&amp; [ \"$macOSVersionBuild\" -lt 4 ]; then\r\n        echo \"[Warn] macOS version ${macOSVersionMajor}.${macOSVersionMinor}.${macOSVersionBuild} predates the use of SecureToken functionality, no action required.\"\r\n        exit 0\r\n    fi\r\nfi\r\n\r\n# Exits if $UserAccount already has SecureToken.\r\nif sysadminctl -secureTokenStatus \"$UserAccount\" 2&gt;&amp;1 | grep -q \"ENABLED\"; then\r\n    echo \"${UserAccount} already has a SecureToken. No action required.\"\r\n    exit 0\r\nfi\r\n\r\n# Exits with error if $secureTokenAdmin does not have SecureToken\r\n# (unless running macOS 10.15 or later, in which case exit with explanation).\r\n\r\nif [ -n \"$secureTokenAdmin\" ]; then\r\n    if sysadminctl -secureTokenStatus \"$secureTokenAdmin\" 2&gt;&amp;1 | grep -q \"DISABLED\"; then\r\n        if [ \"$macOSVersionMajor\" -gt 10 ] || [ \"$macOSVersionMajor\" -eq 10 ] &amp;&amp; [ \"$macOSVersionMinor\" -gt 14 ]; then\r\n            echo \"[Warn] Neither ${secureTokenAdmin} nor ${UserAccount} has a SecureToken, but in macOS 10.15 or later, a SecureToken is automatically granted to the first user to enable FileVault (if no other users have SecureToken), so this may not be necessary. Try enabling FileVault for ${UserAccount}. If that fails, see what other user on the system has SecureToken, and use its credentials to grant SecureToken to ${UserAccount}.\"\r\n            exit 0\r\n        else\r\n            echo \"[Error] ${secureTokenAdmin} does not have a valid SecureToken, unable to proceed. Please update to another admin user with SecureToken.\"\r\n            exit 1\r\n        fi\r\n    else\r\n        echo \"[Info] Verified ${secureTokenAdmin} has SecureToken.\"\r\n    fi\r\nfi\r\n\r\n# Creates a new user account.\r\ncreate_user() {\r\n    # Check if the user account exists\r\n    if id \"$1\" &gt;\/dev\/null 2&gt;&amp;1; then\r\n        echo \"[Info] Found existing user account $1.\"\r\n    else\r\n        echo \"[Warn] Account $1 doesn't exist. Attempting to create...\"\r\n        # Create a new user\r\n        dscl . -create \/Users\/\"$1\"\r\n        # Add the display name of the User\r\n        dscl . -create \/Users\/\"$1\" RealName \"$3\"\r\n        # Replace password_here with your desired password to set the password for this user\r\n        dscl . -passwd \/Users\/\"$1\" \"$2\"\r\n        # Set the Unique ID for the New user. Replace with a number that is not already taken.\r\n        LastID=$(dscl . -list \/Users UniqueID | sort -nr -k 2 | head -1 | grep -oE '[0-9]+$')\r\n        NextID=$((LastID + 1))\r\n        dscl . -create \/Users\/\"$1\" UniqueID $NextID\r\n        # Set the group ID for the user\r\n        dscl . -create \/Users\/\"$1\" PrimaryGroupID 20\r\n        # Append the User with admin privilege. If this line is not included the user will be set as standard user.\r\n        # sudo dscl . -append \/Groups\/admin GroupMembership \"$1\"\r\n        echo \"[Info] Account $1 created.\"\r\n    fi\r\n}\r\n# Adds SecureToken to target user.\r\nsecuretoken_add() {\r\n    if [ -n \"$3\" ]; then\r\n        # Admin user name was given. Do not prompt the user.\r\n        sysadminctl \\\r\n            -secureTokenOn \"$1\" \\\r\n            -password \"$2\" \\\r\n            -adminUser \"$3\" \\\r\n            -adminPassword \"$4\"\r\n    else\r\n        # Admin user name was not given. Prompt the local user.\r\n        currentUser=$(stat -f%Su \/dev\/console)\r\n        currentUserUID=$(id -u \"$currentUser\")\r\n        launchctl asuser \"$currentUserUID\" sudo -iu \"$currentUser\" \\\r\n            sysadminctl \\\r\n            -secureTokenOn \"$1\" \\\r\n            -password \"$2\" \\\r\n            interactive\r\n    fi\r\n    # Verify successful SecureToken add.\r\n    secureTokenCheck=$(sysadminctl -secureTokenStatus \"${1}\" 2&gt;&amp;1)\r\n    if echo \"$secureTokenCheck\" | grep -q \"DISABLED\"; then\r\n        echo \"[Error] Failed to add SecureToken to ${1}. Please rerun policy; if issue persists, a manual SecureToken add will be required to continue.\"\r\n        exit 126\r\n    elif echo \"$secureTokenCheck\" | grep -q \"ENABLED\"; then\r\n        echo \"[Info] Successfully added SecureToken to ${1}.\"\r\n    else\r\n        echo \"[Error] Unexpected result, unable to proceed. Please rerun policy; if issue persists, a manual SecureToken add will be required to continue.\"\r\n        exit 1\r\n    fi\r\n}\r\n\r\n# Create new user if it doesn't already exist.\r\ncreate_user \"$UserAccount\" \"$UserPass\" \"$UserFullName\"\r\n# Add SecureToken using provided credentials.\r\nsecuretoken_add \"$UserAccount\" \"$UserPass\" \"$secureTokenAdmin\" \"$secureTokenAdminPass\"\r\n<\/pre>\n<p>&nbsp;<\/p>\n\n<div class=\"in-context-cta\"><\/div>\n<h2>Analisi dettagliata<\/h2>\n<h3>Panoramica dello script<\/h3>\n<p>Lo script in questione \u00e8 progettato per garantire l&#8217;accesso sicuro tramite token a un account utente su macOS, con la possibilit\u00e0 di creare l&#8217;account se non esiste gi\u00e0. Ecco una descrizione dettagliata, passo per passo, di come funziona lo script per creare token sicuri in macOS:<\/p>\n<ol>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Parsing dei parametri<\/strong>: Lo script per creare token sicuri in macOS inizia definendo una funzione die per gestire gli errori e una funzione print_help per visualizzare le informazioni di utilizzo. Analizza quindi gli argomenti della riga di comando per estrarre il nome utente, la password e, facoltativamente, il nome utente e la password dell&#8217;amministratore.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Variabili d&#8217;ambiente<\/strong>: Controlla la presenza di variabili d&#8217;ambiente che possono sovrascrivere i parametri della riga di comando. Se sono impostate variabili d&#8217;ambiente specifiche, lo script per creare token sicuri in macOS recupera i loro valori per utilizzarli come parametri.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Controllo della versione di macOS<\/strong>: Lo script per creare token sicuri in macOS controlla la versione di macOS per verificare che supporti la funzionalit\u00e0 di token sicuro. Esce se la versione di macOS \u00e8 troppo vecchia per utilizzare i token sicuri.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Controllo dello stato del token sicuro<\/strong>: Controlla se l&#8217;account utente specificato ha gi\u00e0 un token sicuro. Se l&#8217;account utente dispone gi\u00e0 di un token sicuro, lo script per creare token sicuri in macOS termina, poich\u00e9 non sono necessarie ulteriori azioni.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Controllo del token utente amministratore<\/strong>: Se viene fornito un nome utente amministratore, lo script per creare token sicuri in macOS verifica che questo utente amministratore abbia un token sicuro. Se non c\u2019\u00e8, lo script esce con un errore, a meno che la versione di macOS sia la 10.15 o successiva; in quel caso si consiglia di utilizzare un processo diverso.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Creazione dell&#8217;account utente<\/strong>: Lo script per creare token sicuri in macOS include una funzione per creare un nuovo account utente se non esiste gi\u00e0. Assegna un ID univoco, imposta una password e configura altri attributi necessari.<\/li>\n<li data-leveltext=\"%1.\" data-font=\"Aptos\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Concessione di un token sicuro<\/strong>: Lo script per creare token sicuri in macOS tenta di concedere un token sicuro all&#8217;account utente specificato, utilizzando le credenziali fornite. Se viene fornito il nome utente dell&#8217;amministratore, vengono utilizzate quelle credenziali; altrimenti, viene richiesta l&#8217;autenticazione dell&#8217;utente locale.<\/li>\n<\/ol>\n<h2>Casi d&#8217;uso potenziali<\/h2>\n<p>Immagina un professionista IT di nome Alex che gestisce un parco di dispositivi macOS per una grande azienda. Alex deve assicurarsi che tutti gli account utente su questi dispositivi abbiano token sicuri per la crittografia FileVault. Controllare e concedere manualmente i token sicuri su ogni dispositivo richiederebbe molto tempo.<\/p>\n<p>Distribuendo questo script per creare token sicuri in macOS attraverso uno strumento di gestione centralizzato, Alex pu\u00f2 automatizzare il processo, assicurandosi che tutti gli account utente dell&#8217;organizzazione dispongano dei token sicuri necessari e mantenendo cos\u00ec la conformit\u00e0 con i criteri di sicurezza dell&#8217;azienda.<\/p>\n<h2>Confronti<\/h2>\n<p>Altri metodi per creare token sicuri in macOS comportano in genere l&#8217;intervento manuale attraverso le Preferenze di sistema di macOS o l&#8217;uso di comandi sysadminctl individualmente per ogni utente. Pur funzionando, questi metodi non sono scalabili per la gestione di un gran numero di dispositivi. Lo script per creare token sicuri in macOS automatizza queste fasi, rendendole pi\u00f9 efficienti e riducendo la probabilit\u00e0 di errore umano.<\/p>\n<h2>Domande frequenti<\/h2>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\">\n<h3>Cosa succede se l&#8217;account utente esiste gi\u00e0?<\/h3>\n<p>Lo script per creare token sicuri in macOS verifica l&#8217;esistenza dell&#8217;account utente e, se esiste gi\u00e0, salta la fase di creazione.<\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"1\">\n<h3>Posso utilizzare questo script per creare token sicuri in macOS su versioni precedenti di macOS?<\/h3>\n<p>Lo script per creare token sicuri in macOS include controlli per garantire che venga eseguito solo sulle versioni di macOS che supportano i token sicuri, in particolare macOS 10.13.4 e versioni successive.<\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"3\" data-aria-level=\"1\">\n<h3>Cosa succede se l&#8217;utente amministratore non ha un token sicuro?<\/h3>\n<p>Lo script per creare token sicuri in macOS esce con un errore se l&#8217;utente amministratore non dispone di un token sicuro, tranne che su macOS 10.15 o successivo, dove viene suggerita una procedura alternativa.<\/li>\n<\/ul>\n<h2>Implicazioni<\/h2>\n<p>La concessione di token sicuri agli account utente \u00e8 fondamentale per abilitare FileVault ed eseguire le attivit\u00e0 amministrative in modo sicuro. L&#8217;automazione di questo processo contribuisce a mantenere elevati standard di sicurezza, a garantire la conformit\u00e0 ai criteri organizzativi e a ridurre il rischio di accessi non autorizzati.<\/p>\n<h2>Raccomandazioni<\/h2>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Aggiorna regolarmente lo script<\/strong>: Assicurati che lo script per creare token sicuri in macOS sia aggiornato con le ultime modifiche di macOS e di seguire le pratiche di sicurezza.<\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"1\"><strong>Campi personalizzati sicuri<\/strong>: Utilizza campi personalizzati sicuri per memorizzare informazioni sensibili come le password.<\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"3\" data-aria-level=\"1\"><strong>Gestione centralizzata<\/strong>: Distribuisci lo script per creare token sicuri in macOS attraverso uno strumento di gestione centralizzato per garantire la coerenza tra tutti i dispositivi.<\/li>\n<\/ul>\n<h2>Considerazioni finali<\/h2>\n<p>Automatizzare il processo di concessione dei token sicuri mediante questo script per creare token sicuri in macOS migliora notevolmente l&#8217;<a href=\"https:\/\/www.ninjaone.com\/it\/efficienza-it\" target=\"_blank\" rel=\"noopener\">efficienza<\/a> e la sicurezza della gestione dei dispositivi macOS. Per i professionisti IT e gli MSP, questo script \u00e8 uno strumento prezioso per mantenere solide pratiche di sicurezza.<\/p>\n<p>NinjaOne offre soluzioni complete che si integrano perfettamente con script come questo, fornendo un approccio strutturato alla gestione e alla sicurezza IT. Utilizzando NinjaOne, \u00e8 possibile ottimizzare i flussi di lavoro e garantire che tutti i dispositivi siano sicuri e conformi ai criteri dell&#8217;organizzazione.<\/p>\n","protected":false},"author":35,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","_lmt_disableupdate":"","_lmt_disable":""},"operating_system":[4210],"use_cases":[4269],"class_list":["post-353739","script_hub","type-script_hub","status-publish","hentry","script_hub_category-macos","use_cases-configurazione-generale"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.ninjaone.com\/it\/wp-json\/wp\/v2\/script_hub\/353739","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ninjaone.com\/it\/wp-json\/wp\/v2\/script_hub"}],"about":[{"href":"https:\/\/www.ninjaone.com\/it\/wp-json\/wp\/v2\/types\/script_hub"}],"author":[{"embeddable":true,"href":"https:\/\/www.ninjaone.com\/it\/wp-json\/wp\/v2\/users\/35"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ninjaone.com\/it\/wp-json\/wp\/v2\/comments?post=353739"}],"wp:attachment":[{"href":"https:\/\/www.ninjaone.com\/it\/wp-json\/wp\/v2\/media?parent=353739"}],"wp:term":[{"taxonomy":"script_hub_category","embeddable":true,"href":"https:\/\/www.ninjaone.com\/it\/wp-json\/wp\/v2\/operating_system?post=353739"},{"taxonomy":"use_cases","embeddable":true,"href":"https:\/\/www.ninjaone.com\/it\/wp-json\/wp\/v2\/use_cases?post=353739"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}