Skip to main content
All CollectionsDevice ManagementMac MDM
How to fix the “Secure Token could not be activated for the Swif admin account. Please check your password.”
How to fix the “Secure Token could not be activated for the Swif admin account. Please check your password.”
Updated this week

Why Secure Token Is Needed

A Secure Token is required for a macOS user account to manage encryption features like FileVault. If Swif’s MDM tries to enable FileVault or manage disk encryption settings, the Swif admin account must have a Secure Token. If macOS can’t grant it (often due to password mismatch or missing admin rights), you see the error:

“Error - Secure token could not be activated for the Swif admin account. Please check your password.”

Preliminary Checks

  1. Ensure the Current Local Admin Already Has a Secure Token:

    • In most cases, the user who’s granting the Swif admin a token must already have one. If not, you can’t grant it to others.

    • On Intel Macs, you can verify by running:

      sysadminctl -secureTokenStatus <admin_username>

      It should say “Secure token is ENABLED” for that admin.

    • On Apple Silicon, it typically requires the original volume owner or an admin with Secure Token.

  2. Confirm the Swif Admin Password:

    • In your Swif portal, go to Device Details > Accounts > Swif admin (or similarly named).

    • Click View Password to retrieve the device’s stored Swif admin password. Keep it handy.

  3. Gather the Local Admin Credentials:

    • You need the local admin user’s short username (e.g., johnsmith) and password. If you’re not sure, verify in System Settings > Users & Groups or via id -F in Terminal.

Method 1: Enable Secure Token via Terminal (sysadminctl)

This method doesn’t require physically using the Mac’s GUI, and is often fastest if you have remote or command-line access.

  1. Open Live Terminal (or a local Terminal session)
    In the Swif console, you may have a “Live Terminal” or “Remote Command” feature. Alternatively, use SSH or local Terminal on the Mac.

  2. Run the sysadminctl command
    Replace the placeholders with the correct credentials:

    sudo sysadminctl \ -adminUser <LOCAL_ADMIN_USERNAME> \ -adminPassword "<LOCAL_ADMIN_PASSWORD>" \ -secureTokenOn swifteam \ -password "<SWIF_ADMIN_PASSWORD>"

    • <LOCAL_ADMIN_USERNAME> is the short username of the Mac’s existing admin (who already has a Secure Token).

    • <LOCAL_ADMIN_PASSWORD> is that admin’s password.

    • swifteam is the short username for your Swif admin account (if named differently, adjust accordingly).

    • <SWIF_ADMIN_PASSWORD> is the Swif admin password from Device Details > Accounts > View Password in Swif.

  3. Check for Errors

    • If the command succeeds, you should see no error and can confirm Secure Token is now active by running:

      sysadminctl -secureTokenStatus swifteam

    • If you see “Secure token is ENABLED,” the operation was successful.

    • If it fails, double-check the passwords. Make sure the local admin user truly has a token and the password is typed exactly.

Method 2: Enable Secure Token Manually Through macOS UI

If you prefer the graphical approach or if sysadminctl isn’t working remotely, you can unhide the Swif admin user, grant it Secure Token in System Settings, and then hide it again. This requires local access to the Mac or screen-sharing.

2A. Unhide the Swif Admin Account

  1. Open Terminal on the Mac (Applications > Utilities > Terminal).

  2. Unhide the account named swifteam (or your actual Swif admin username). For example:

    sudo dscl . -create /Users/swifteam IsHidden 0

  3. Log out or Switch Users: If the Swif admin does not appear at the login screen, try rebooting or switching users, so it’s fully recognized.

2B. Grant Secure Token via FileVault Preferences

  1. Log in as the current local admin who already has a Secure Token (or go to System Settings while logged in as that admin).

  2. Go to: Apple Menu > System Settings (or “System Preferences” on older macOS).

  3. Select “Privacy & Security” in the sidebar, then find FileVault.

  4. Check if FileVault is On:

    • If FileVault is on, you’ll see a button like Enable Users (or “Some users are not able to unlock the disk.”).

    • Click Enable Users… to see a list of accounts without Secure Token access.

  5. Enable the Swif Admin:

    • If swifteam (Swif admin user) appears, click the "Enable User" next to it.

    • Enter the Swif admin password to finalize.

    • If accepted, the Swif admin user is now authorized for FileVault and has a Secure Token.

Note: If the system prompts for your local admin credentials first, enter them, and then for the Swif admin account password second. This confirms both accounts are authorized.

2C. Hide the Swif Admin Account Again

Once the user has Secure Token, you likely want to hide it:

sudo dscl . -create /Users/swifteam IsHidden 1

You can verify the account is hidden by logging out or checking the login window. The Swif admin should no longer appear.

Verifying the Fix

Regardless of which method you used, you can confirm the Swif admin has a Secure Token:

  1. Open Terminal (locally or via Live Terminal).

  2. Run:

    sysadminctl -secureTokenStatus swifteam

    It should say:

    “Secure token is ENABLED for user swifteam.”

Additionally, if you open FileVault preferences again, you should see the Swif admin user is now listed as an authorized unlock user for the disk (assuming FileVault is on).

Common Pitfalls

  • Wrong Admin Password: Make sure you have the correct local admin’s password. If you see repeated prompts or the “password is incorrect” error, confirm you’re using the right credentials.

  • Existing Secure Token: The user granting the token must already have one. On Intel Macs, if the only admin user lacks a Secure Token, you’ll need to fix that first, possibly by resetting the user’s password in macOS Recovery or using an already token-enabled admin.

  • FileVault Off: On some macOS versions, you can’t enable a Secure Token for a second admin if FileVault is completely off. Usually turning on FileVault or letting the system proceed with the initial encryption setup triggers the option to add more accounts.

  • Account Hidden: If the account is hidden while you attempt the manual enable in the UI, it may not appear in the “Enable Users…” list. Hence, the need to unhide it.

Conclusion

When encountering the “Secure token could not be activated for the Swif admin account” error, the solution is to manually grant the token using either the sysadminctl command or the FileVault “Enable Users” GUI flow. Make sure you have:

  1. A local admin user who already has a Secure Token,

  2. The correct admin and Swif admin passwords,

  3. (If using the GUI) Unhidden the Swif admin account temporarily to see it in the FileVault user list.

After successful completion, the Swif admin can manage FileVault and other security features as intended. If you still run into issues, please contact Swif Support for additional assistance.

Related Articles
Resolving "Operation Not Permitted Without Secure Token Unlock" Error on Mac Devices
Why Swif Requests Secure Token Access for Swif Admin on macOS
Managing BYOD Enrollment for macOS in Swif
FileVault’s Effect on the macOS Login Window
Troubleshooting: Mac Not Prompting to Enable FileVault Despite Swif.ai FileVault Policy Deployment
Did this answer your question?