What is a macOS secure token?

A secure token on a Mac is an account attribute that permits users to perform critical operations on the macOS system, involving processes such as enabling FileVault, approving system and kernel extensions, and enforcing software updates.

A secure token is automatically granted to the very first user account on a macOS device. Once the initial account has a Secure Token associated with it, any subsequent user accounts created by the secure token enabled account – via System Preferences > Users and Groups – will in turn automatically be granted their own secure tokens.

There may be occasions where you want to see which user accounts have secure tokens and are permitted to change macOS operations such as decrypting FileVault. Below is the process we can follow to see those users:

Finding Secure Token Users for a volume:

1. The first step is finding the appropriate location in which the OS Volume is installed on. You can use the diskutil command to accomplish this.
   
   diskutil list
   
   
   
   in our screenshot above, the OS volume is on Disk3s5
   
   
2. Once we have the appropriate volume location we can run the following command:
   
   diskutil apfs listCryptoUsers OSVolumeLocation
   
   This will list the Secured Token user’s GUID
   
   
   
   
3. The type “Local Open Directory User” will refer to your local user account. You can copy the GUID and use the next command to find the username of the account
   
   dscl . -search /Users GeneratedUID GUID