rtrouton/SecureToken and sysadminctl in 10.13 (based on 10.13.2)

## SecureToken and sysadminctl in 10.13 (based on 10.13.2)
sysadminctl is a tool Apple introduced in 10.10 for working with system user accounts. In 10.13,
sysadminctl is Apple's recommended tool for working with user accounts in the CLI, replacing functionality
that has long been provided by dscl and adds new features available only in 10.13.
sysadminctl can be used to change user passwords, create new users (including automatically provisioning
the user home folder) or check the status of a new-to-10.13 security feature named SecureToken.

SecureToken is a user attribute like password type or user home location. SecureToken is not publicly
documented by Apple so it is not possible to provide a full technical description, but in practice one
needs only to know if a user has SecureToken or not. Having SecureToken set signifies that a user can
unlock a FileVault-encrypted volume. Without the SecureToken bit on a user account, that user will not
be able to authenticate at the FileVault pre-OS login screen.

The SecureToken attribute should be automatically granted:
- To the first user created by SetupAssistant on a new machine/fresh OS install
- For a user created by the MDM createuser command for machines enrolled in DEP
- For existing FileVault users on a machine that has been upgraded to 10.13
- To directory users on a properly bound machine

Users created in System Preferences > Accounts or via the CLI are not automatically assigned SecureToken, but
an administrator who has SecureToken set for their own account should be able to grant SecureToken to additional
users. On machines with FileVault enabled, it is imperative that any user using the machine have SecureToken set.

Check a User's SecureToken Status
sudo sysadminctl -secureTokenStatus [user being checked]

dscl Alternative to Check a User's SecureToken Status
dscl . -read /Users/[user being checked] AuthenticationAuthority

Grant SecureToken to a User v1 (must be done on the machine in a GUI login)
The admin user running this command must have SecureToken themselves. Granting SecureToken is a chain-of-trust process.
sudo sysadminctl interactive -secureTokenOn [user being granted SecureToken] -password [user's password]
When prompted, provide the authenticate as the admin running the command.

Grant SecureToken to a User v2
sudo sysadminctl -adminUser [admin user] -adminPassword [admin's password] -secureTokenStatus [user being granted SecureToken]
	sysadminctl is a tool Apple introduced in 10.10 for working with system user accounts. In 10.13,
	sysadminctl is Apple's recommended tool for working with user accounts in the CLI, replacing functionality
	that has long been provided by dscl and adds new features available only in 10.13.
	sysadminctl can be used to change user passwords, create new users (including automatically provisioning
	the user home folder) or check the status of a new-to-10.13 security feature named SecureToken.

	SecureToken is a user attribute like password type or user home location. SecureToken is not publicly
	documented by Apple so it is not possible to provide a full technical description, but in practice one
	needs only to know if a user has SecureToken or not. Having SecureToken set signifies that a user can
	unlock a FileVault-encrypted volume. Without the SecureToken bit on a user account, that user will not
	be able to authenticate at the FileVault pre-OS login screen.

	The SecureToken attribute should be automatically granted:
	- To the first user created by SetupAssistant on a new machine/fresh OS install
	- For a user created by the MDM createuser command for machines enrolled in DEP
	- For existing FileVault users on a machine that has been upgraded to 10.13
	- To directory users on a properly bound machine

	Users created in System Preferences > Accounts or via the CLI are not automatically assigned SecureToken, but
	an administrator who has SecureToken set for their own account should be able to grant SecureToken to additional
	users. On machines with FileVault enabled, it is imperative that any user using the machine have SecureToken set.

	Check a User's SecureToken Status
	sudo sysadminctl -secureTokenStatus [user being checked]

	dscl Alternative to Check a User's SecureToken Status
	dscl . -read /Users/[user being checked] AuthenticationAuthority

	Grant SecureToken to a User v1 (must be done on the machine in a GUI login)
	The admin user running this command must have SecureToken themselves. Granting SecureToken is a chain-of-trust process.
	sudo sysadminctl interactive -secureTokenOn [user being granted SecureToken] -password [user's password]
	When prompted, provide the authenticate as the admin running the command.

	Grant SecureToken to a User v2
	sudo sysadminctl -adminUser [admin user] -adminPassword [admin's password] -secureTokenStatus [user being granted SecureToken]