Granting Permissions for Monterey Pluggable Authentication Modules (PAM)

Written by Pam Lefkowitz on October 5, 2021

Share This Article

Apple’s new operating system, macOS Monterey, is due for release in October. Along with all the usability and feature changes come changes to the underpinnings of macOS. Apple continues to increase security of their operating system and, while this is desirable, it also poses some unique challenges for developers and integrators. 

The most impactful security change for IT Admins in Monterey is a set of new restrictions that Apple has implemented around access to the Pluggable Authentication Module (PAM) directory located at /etc/pam.d. JumpCloud’s ability to sync your user password to the computer at the login window is an example of a PAM. With macOS Monterey, Apple will require that any process (such as our login mechanism) which requires access to the directory /etc/pam.d/ has the consent of an admin user on the system. Alternatively, consent may be granted by an admin through an MDM profile.

This may mean you have some necessary actions to take to preserve some core JumpCloud functionality before your end users update to the latest OS. First and foremost, until you have prepared for this, it is recommended that you configure the Block Monterey Installation policy in JumpCloud so that your users don’t jump the gun.

As an IT professional, you fall into one of these three camps: a) you are using JumpCloud MDM to manage your Mac fleet, b) you are using a third party MDM, or c) you aren’t using any MDM for Mac management. Below are the steps you can follow to ensure the above functionality is preserved:

JumpCloud MDM

If you are using JumpCloud as your MDM, you are all set to go. The agent will update in preparation for the impending OS release and that will include granting the permissions necessary to carry out the consent. You won’t have to do a thing. If you have a new install, we will deploy an MDM profile to grant access to the directory at the time of enrollment.

Third Party MDM

If, however, you are integrating JumpCloud with a separate MDM provider, you will need to manage this event differently. For this use case, the PAM module we use for authorization requires a new permission and you will need to grant access by 

  1. Manually granting the agent permission in System Preferences > Security & Privacy > Privacy > Full Disk Access; or,
  2. Downloading our preconfigured profile and then importing it into and distributing it from your MDM.

No MDM

If you are not yet managing your macs through Apple MDM at all… this is a good opportunity to make a change. Timing may be tight, but setting up JumpCloud MDM for this task is pretty easy.  Sign up for a JumpCloud Free account and test it out yourself. The first 10 users and systems are free. You’ll also get 10 days of 24×7 premium in-app chat support.

Continue Learning with our Newsletter