Starting with macOS Monterey, Apple has made a change that affects JumpCloud and JumpCloud IT Admins. Apple now restricts the /etc/pam.d/ directory on macOS Monterey and newer devices, and requires that any process that wants to edit the files in this directory have user consent, or consent supplied by their admin through an MDM profile.
The files in the /etc/pam.d/ directory control a part of the macOS authentication system called pluggable authentication modules. JumpCloud’s login window mechanism is an example of a pluggable authentication module. The JumpCloud agent edits the authorization and screensaver settings files to use the JumpCloud authentication module, which allows your user passwords to be synced to the machine.
Preparing for this Change
- If you are using JumpCloud’s MDM with your macOS Devices - JumpCloud now grants SystemPolicyAllFiles to our agent and supporting processes on the device as part of enrollment in the MDM, and you do not need to make any changes. This allows existing devices that are updated to Monterey to continue to check in.
- If you are setting up JumpCloud using Device Enrollment or Automated Device Enrollment with another MDM (such as Jamf Pro's Prestage Enrollment method) and Zero-Touch Onboarding - You'll also need to update the enrollment configuration to have access. For instructions, see the procedure below. For more detail on JumpCloud's MDM Prestage User Enrollment, see Zero-Touch Prestage User Enrollment GitHub.
- If you are using JumpCloud with another MDM, such as Jamf Pro, Kandji, Mosyle, or SimpleMDM - You will need to either manually grant the agent permissions, or download the preconfigured profile for use with your MDM to grant the appropriate permissions to our software. See To grant permissions for a non-JumpCloud MDM.
- If none of your macOS devices are enrolled in MDM - Starting with macOS Monterey, you will need to give the JumpCloud agent Full Disk Access permission to enable our agent to communicate with the authentication controls on the system. See To grant permissions for a device that is not enrolled in MDM.
Granting Permissions for a Non-JumpCloud MDM
To grant permissions for a non-JumpCloud MDM:
A custom profile is required for Steps 1-2 and is attached to this article.
- Download the profile file from this article. It's located on the right side of this page under In this Article.
- Follow the instructions for your MDM to install this custom profile.
- Alternatively, if you’d rather use a Privacy Preferences Policy Control policy directly inside your MDM, you can grant the required privileges for the jumpcloud-agent:
- Set the path for the policy to /opt/jc/bin/jumpcloud-agent.
- Set the privilege to SystemPolicySysAdminFiles or SystemPolicyAllFiles.
- Change the code requirements to:
identifier "jumpcloud-agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = N985MXSH85
- You’ll need to grant the required privileges for the jumpcloud-agent updater:
- Set the path for the policy to /opt/jc/bin/jumpcloud-agent-updater.
- Set the privilege to SystemPolicySysAdminFiles or SystemPolicyAllFiles.
- Change the code requirements to:
identifier "jumpcloud-agent-updater-darwin" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = N985MXSH85
- You’ll also need to grant the required privileges for the jcosqueryi:
- Set the path for the policy to /opt/jc/bin/jcosqueryi.
- Set the privilege to either SystemPolicySysAdminFiles or SystemPolicyAllFiles.
- Change the code requirements to:
identifier osqueryd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B89LNTUADM
Granting Permissions for a Device Not Enrolled in MDM
Beginning with macOS Monterey, the JumpCloud agent on a device that is not enrolled in MDM requires permissions to touch two additional files. This is a security measure that Apple has taken to avoid tampering with the authentication systems by unauthorized parties, like malware.
To grant permissions for a device that is not enrolled in MDM (macOS Sonoma):
- Click the Apple menu at the top of the screen.
- Select System Settings... > Privacy & Security.
- Click Full Disk Access.
- Find jumpcloud-agent-updater and move the toggle to the enabled position. You may be required to enter a password to make this change.
To grant permissions for a device that is not enrolled in MDM (macOS Ventura or earlier):
- Click the Apple menu at the top of the screen.
- Select System Settings > Privacy & Security.
- Click the lock, enter your password for the device, and click Unlock.
- Select Full Disk Access.
- Select jumpcloud-agent.
- Click the lock.
Upgrading from MacOS Mojave 10.14 or Earlier
To upgrade from macOS Mojave 10.14 or earlier:
- Ensure that the devices have the Jumpcloud Agent Permissions profile installed on the machine before the upgrade or immediately after.
- Manually install a current version of the agent and provide Full Disk Access to the agent via System Preferences.