This article describes the recommended method of installing the JumpCloud Agent on macOS devices using Jamf Pro. This method of unattended installation uses an install script provided on JumpCloud's GitHub. When properly configured, the script installs the JumpCloud Agent and the JumpCloud Service Account that is required to handle password synchronization.
Prerequisites:
- The Privacy Preferences Policy Control (PPPC) profile must be present on each device on which you intend to deploy the JumpCloud Agent. This will give the agent the permissions required to handle PAM authentication responsibilities. See instructions for installing the PPPC profile in Granting Permissions for a Non-JumpCloud MDM.
- You will need the username and password of an Admin account that has a secure token. Use the dscl utility in Terminal to verify the secure token status of an account:
- To find the usernames of user accounts on the device: dscl . -list /Users | grep -v "^_"
- To check the secure token status of a user, replacing USERNAME with a target username: dscl . -read /Users/USERNAME AuthenticationAuthority | grep "SecureToken"
Important: The local Admin account must be logged into at least once on each device in order to receive a valid secure token (unless the account was created during initial setup of the device).
Installing the Agent and Service Account Using the Install Script
Follow these steps to install the JumpCloud Agent and Service Account:
- Copy the install script.
- Paste the script into a text editor and update the undefined parameters.
- Upload the install script into Jamf's administrator console.
- Create and apply a policy to install the agent using the script.
Copying the Install Script
- Copy the install script: https://github.com/TheJumpCloud/support/blob/master/scripts/macos/install_agent_and_serviceaccount.sh.
- Paste the contents into a text editor, and make the changes noted in the next step.
Updating the Script
In a text editor, and make the following changes to the script:
- At the top of the script, note there are three undefined parameters:
- CONNECT_KEY,
- SECURETOKEN_ADMIN_USERNAME, and
- SECURETOKEN_ADMIN_PASSWORD.
- Replace the CONNECT_KEY value in the script with the JumpCloud Connect Key.
- To find the Connect Key, log in to the JumpCloud Admin Portal and go to DEVICE MANGEMENT > Devices.
- Click ( + ) to add a device.
- Scroll to Connect Key and click copy.
- Paste the Connect Key into the CONNECT_KEY value field in the script.
- Replace the SECURETOKEN_ADMIN_USERNAME and SECURETOKEN_ADMIN_PASSWORD values with the username and password of a pre-existing local Admin account that has a secure token.
Important: The username and password of this local Admin account must be the same on all your Macs in order for the installation script to function at scale.
- After the three required parameters have been filled, set the SILENT_INSTALL parameter to 0 and the UNATTENDED_INSTALL parameter to 1. This allows the script to run without displaying interactive prompts, and will leverage the parameters defined above to create the JumpCloud Service Account.
Important: The local Admin account must be logged into at least once on each device in order to receive a valid secure token (unless the account was created during initial setup of the device).
Uploading the Script
After the necessary changes have been made to the script in the previous step, upload it to Jamf Pro and create a policy:
- In Jamf Pro, upload the configured install script.
- See Jamf's documentation for instructions on uploading an install script.
- In Jamf Pro, create a policy with which to associate the script.
- See Jamf's documentation for instructions on creating a policy.
- Name the policy something similar to “Unattended Jumpcloud Agent Installation."
- In Jamf Pro, apply the policy to a test Mac. Allow some time for the Mac to receive and execute the policy.
- Verify the JumpCloud Agent installed successfully on the Mac. The Mac appears in the JumpCloud Admin Portal, and you can proceed to bind a JumpCloud user to the Mac. See Bind Users to Devices.