JumpCloud uses a service account on macOS systems to let users unlock FileVault encryption. When you install the JumpCloud agent on a macOS system, it silently creates this system account to:
- Provide new users with SecureTokens to authorize FileVault access.
- Rotate the FileVault Recovery Key when using the JumpCloud macOS FileVault 2 Policy.
The service account provides security-level services to other JumpCloud managed user accounts and has the following restrictions:
- It can't be logged in by other users.
- It doesn't have an accessible password.
- It doesn’t have a valid home directory.
If you’re installing the JumpCloud Mac agent and encounter a failure to create the service account, it may be due to the service account’s restrictions.
Known Issue: MDM Password Policy Conflict
Under all of the following conditions:
- You register your Apple Mobile Device Management (MDM) server of choice as something other than JumpCloud (some other solution you use alongside JumpCloud).
- You apply an MDM password policy.
- The system is running macOS system version 10.13 or higher.
The JumpCloud Service account fails to be created.
Cause
The JumpCloud Service Account generates a very long random password, so when your MDM solution tries to apply a complex password policy, the random password may fail and stop the account from being created.
Resolution
We know this is an issue and are working to resolve it. In the meantime, we recommend you use one of the following workarounds:
- Remove the macOS system from the MDM policy.
- Remove the policy.
- Register JumpCloud as your MDM server of choice with Apple.
Keep in mind that Apple only allows an organization to register one MDM solution.
Known Issue: Invalid Status
A macOS device might have an Invalid status because of any of these situations:
- No service account
- Service account has no secure token
- Secure token is invalid due to an invalid local or disk password
Cause
JumpCloud has identified a problem on certain macOS devices where the JumpCloud Service Account is unable to perform necessary tasks related to user management. If the service account is not repaired on these devices, future users added to the machine will not be able to decrypt the disk successfully during login and the JumpCloud agent will be unable to successfully take over existing accounts. Some devices are easily recovered from this state with a local administrator account that has been issued a secure token on the device.
Resolution
There are two ways to resolve this situation:
- Resolve a Missing or Invalid MacOS Service Account
- Recover Devices That Have a User Without a Secure Token
Resolving a Missing or Invalid MacOS Service Account
If you are seeing this on a recently-enrolled system, a restart will resolve this issue. The service account will be created on the next login after enrollment. See Install and Use the Service Account for MacOS. If your system has not yet restarted, it may erroneously show as problematic.
To resolve a missing or invalid macOS service account:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Devices.
- Select Needs Attention and select a device. This list only contains devices that were created more than 10 days ago.
- If the device does not have a service account but admins have secure tokens, the View admin list link appears:
- Click View admin list.
- Review this list of local administrators identified on the device that have a valid service account.
- Log into the device with one of the local administrator accounts on the list to resolve the issue and create the JumpCloud Service Account. After logging into a JumpCloud-managed device with a user that has a valid secure token, the JumpCloud Service Account will be created.
- If the device does not have a service account but the admin has a valid secure token, you must:
- Open Finder on your device.
- Navigate to the /Applications folder.
- Double click the JumpCloudServiceAccount.app file to run it.
- Select your username from the dropdown list and enter the password associated with it.
- Click Create Account.
- If the macOS device has reported it does not have a valid local or disk password or there is no View admin list link, then a manual reinstall of the JumpCloud agent over the top of the existing agent is required. During the reinstallation process, users will be prompted to input credentials of an admin user with a valid secure token. If no account is present, follow the steps in Recovering Devices That Have a User Without a Secure Token below.
- If the device has a service account but the local password or disk password are not valid, then the service account is invalid and the agent must be manually reinstalled over the top of the existing agent to resolve the issue.
During the process of reinstalling the agent over an existing install, you’ll be prompted to enter administrative credentials to install the service account. See Install the Mac Agent.
Recovering Devices That Have a User Without a Secure Token
If you’re unable to create the JumpCloud Service Account by using the Service Account utility and selecting any username/password combination, then it’s possible that none of your macOS accounts have a Secure Token associated with them, which is a requirement to generate the JumpCloud Service Account. This can be fixed without a reset of the device, but it does require the FileVault Recovery Key for the device. This process is not possible via remote screen-sharing.
To recover a device without a secure token:
- Boot to macOS Recovery.
- When prompted, select a User or click Forgot All Passwords.
- Enter the FileVault Recovery Key for the device.
- Under the Utilities menu, select Terminal.
- From the Terminal prompt, type resetFileVaultpassword and press Enter. A Reset Password window launches behind the Terminal window.
Tip: If you just have one account on the Mac (which is likely if you find yourself in this scenario), the account should automatically be selected.
- Enter a new password and verify it, then click Next.
- Click Restart.
As part of the password reset process, the resetFileVaultpassword tool also resyncs the secure token attribute for the account. That action allows FileVault to work normally again.
If you have multiple accounts on this Mac, the Reset Password tool requires passwords for all accounts to be changed.