macOS Password Management Considerations

Password management on macOS differs from Windows in several important ways. On macOS, Secure Token is a foundational account attribute that governs both FileVault disk encryption access and the trust chain used for password management operations. Understanding these differences is essential for reliable password rotation in your environment.

Secure Token (Recommended)

Delinea recommends configuring the Secure Token Management Credential for all macOS computer groups. When Secure Token is enabled:

  • The agent uses the Secure Token trust chain to rotate passwords, which does not require knowledge of the account’s previous password.

  • Newly provisioned accounts and accounts migrated from other environments will have their passwords rotated successfully from the first rotation cycle.

  • Managed accounts are eligible for FileVault disk encryption, which protects data at rest in the event of device loss or theft.

  • Troubleshooting is more straightforward because all accounts follow the same password management path.

  • This approach aligns with Apple’s platform direction. As of macOS 10.13, Apple designates sysadminctl as the recommended tool for user account management, replacing dscl. The Apple Platform Deployment Guide exclusively references sysadminctl for Secure Token operations.

For setup instructions, see macOS Secure Token.

Prerequisites for Secure Token Password Rotation

Before the agent can rotate passwords using Secure Token, the following must be in place:

  1. A local administrator account with Secure Token enabled must already exist on the macOS endpoint. The agent does not create this account. It must be provisioned before the agent configuration is applied (for example, via MDM, during initial device setup, or through a deployment script).

  2. The credentials for this account must be configured as the Secure Token Management Credential in the agent configuration for the applicable macOS computer group.

  3. The account’s password must be known and static. The password configured in Privilege Manager must match the password set on the endpoint. This credential is excluded from automatic password rotation due to a bootstrapping constraint (see Management Credential Bootstrapping Constraint).

Management Credential Bootstrapping Constraint

The Secure Token Management Credential requires a static, known password. While it may seem desirable to rotate this credential’s password for security, this would create a circular dependency:

  • The agent needs the management credential’s current password to perform any Secure Token operation (including password rotation for other accounts).

  • If the agent rotated the management credential’s own password, it would need to know the new password for its next operation, but the rotation just changed it.

  • For this reason, the management credential is excluded from automatic password rotation. Delinea recommends using a strong, long, unique password and treating this account as a privileged service account with appropriate access controls and monitoring.

Fallback Method (dscl — Not Recommended)

If the Secure Token Management Credential is not configured, the agent falls back to the dscl command for password rotation. This method has significant limitations:

Previous password required: The dscl command requires the account’s current password to set a new one. Newly provisioned accounts or accounts migrated without password history in Privilege Manager will fail on the first rotation attempt.

  • Inconsistent results in mixed environments: macOS may grant Secure Token to accounts automatically (for example, during an interactive login). This creates a mixed environment where the agent attempts different rotation methods for different accounts, producing inconsistent results.

  • Cannot manage Secure Token-enabled accounts: If an account has been granted Secure Token (even unintentionally), the fallback method cannot rotate its password. A Secure Token Management Credential must be configured to manage Secure Token-enabled accounts.

  • No FileVault eligibility: Accounts managed without Secure Token are not eligible for FileVault disk encryption, leaving data at rest unprotected.

  • Apple platform direction: Apple’s sysadminctl man page (macOS 10.13+) designates sysadminctl as the recommended replacement for dscl for user account management. See Apple Platform Deployment Guide.

Mixed Secure Token Environments

In environments where some managed accounts have Secure Token and some do not, and the Secure Token Management Credential is not configured, administrators may observe:

• Password rotation succeeding on some endpoints and failing on others for the same account

• Rotation behavior changing over time as macOS grants Secure Token to additional accounts during interactive logins

• Different error conditions for different accounts requiring divergent troubleshooting paths

To resolve these issues, Delinea recommends enabling Secure Token across all managed macOS accounts by configuring the Secure Token Management Credential in the macOS computer group’s agent configuration. This establishes a consistent baseline for both password management and FileVault eligibility, and simplifies troubleshooting.