After you use JumpCloud to encrypt a system, enforce Multi-factor Authentication (MFA), require strong passwords, and scan continuously for malware threats, you want employees to manage their identities and passwords in this well-fortified environment.
There are four passwords on your macOS device that must be kept in sync:
- JumpCloud user password - Used to log in to your JumpCloud User Portal.
- FileVault (if enabled) - Used to unlock FileVault when your device is started up. In most scenarios, the FileVault password and the device password are the same, but they should be understood as distinctly different.
- Device password - Used to log in to your device after FileVault is unlocked.
- MacOS Keychain - Used to access passwords, logins, secure notes, etc. that you have saved on your Mac.
You can change your user password in four places:
- JumpCloud Menu Bar App (recommended)
- User Portal
- Upstream Integration (i.e. Okta) that syncs the changed password to JumpCloud and to your device
- System Settings (least recommended)
Prerequisites:
- To ensure password sync notifications show up in the JumpCloud tray app, add JumpCloud to the list of apps allowed to send notifications during focus mode on your Mac:
- Open System Settings and click Focus.
- Click Do Not Disturb.
- Under Allowed Notifications, click Allowed Apps.
- Click + Add and add Jumpcloud.
- Click Done.
- If your org is using a third-party MDM provider, your admin must send and you must approve a configuration profile to ensure installation of JumpCloud's Endpoint Security extension. See End User Prompt: Approve Your MDM Profile.
- See the Attached Files section on the right side of this article for a copy of the configuration profile.
Considerations:
- The JumpCloud passwords you create must adhere to the complexity settings your organization requires for user account passwords. You'll get an error if you attempt to create a non-compliant password. See Manage Password and Security Settings to learn more about complexity requirements.
- Your password also has to adhere to the password complexity settings of the applications you log in to using JumpCloud. If you need help determining the password complexity settings of the applications you use, ask your IT Admin.
- If your account gives you access to SSO applications, it may take several minutes for your password to update for your SSO applications after you change it in JumpCloud.
When you change your password, any active sessions (User Portal, SSO applications, etc.) will be terminated and you will be prompted to log in again.
Changing Your Password With the JumpCloud Menu Bar App
On macOS devices, the JumpCloud menu bar app delivers a convenient method for you to change or sync your JumpCloud IdentityOS® password.
The menu bar icon can be hidden by your Admin, and you should contact your Admin if you're unable to locate the menu bar app on your device. Additionally, if your account is managed by Active Directory or Okta, you won't be able to use the app to reset your password.
To change your JumpCloud password in the JumpCloud menu bar app:
- Click the JumpCloud logo in the menu bar to open the JumpCloud menu bar app.
- Hover over the Your device password is up-to-date message, then click Reset Password.
- In the JumpCloud Password field, enter your current JumpCloud user password.
- In the New Password field, enter your new JumpCloud user password.
- In the Confirm Password field, enter your new JumpCloud user password again.
- If your organization requires an Authentication Method, enter your TOTP from your authentication app or accept the login push request on your mobile device.
- Click Save.
After the JumpCloud menu bar app saves your passwords, JumpCloud updates the FileVault and Keychain passwords accordingly.
Changing Your Password in the User Portal
To change your JumpCloud password in the User Portal:
- Log in to the JumpCloud User Portal.
- Go to Security.
- Under Password, click Reset Password.
- To update your password, enter your current password, your new password, and your new password again. Password complexity requirements are determined by your IT Admin. If you forget your password, you can also request a password reset by clicking Reset User Password on the User Portal login screen.
- Click Update Password.
- Sync your password from the notification in the menu bar app. Jump to Syncing Your JumpCloud Password with Your Device Password below.
If you log in with Touch ID, you may have to enter your password to access the User Portal. This occurs because the Mac App can only authenticate the user against the portal when the user is required to enter a password.
Local Password Reset
- From your device login screen, an incorrect login attempt will trigger the Forgot password? option.
- Click on Forgot password?.
- A JumpCloud user login window appears. Enter your Email, then click Continue.
- JumpCloud will redirect you to your Identity Provider login page.
- Enter your email address, and your password, then click Next.
- The Reset Your Password screen will appear. Enter your password, confirm it again, then click Continue.
If you reset your password, a new, empty keychain will be issued, and the old one will be inaccessible. You can access your keychain in the future by providing your previous Keychain password.
Syncing Your JumpCloud Password with Your Device Password
Syncing Your JumpCloud Password When Logged In
If your password has changed outside of the JumpCloud menu bar app (such as by an Admin reset, within the User Portal, or changing it in an upstream system that syncs passwords with JumpCloud), you have to sync your password in the JumpCloud menu bar app.
To sync your JumpCloud password with your device password:
- Once your password has been changed, the JumpCloud menu bar app will recognize that your password has changed and push a notification to your device to confirm the new password and sync it to the device, macOS Keychain, and store it in FileVault.
- Click on the JumpCloud tray app icon and click Confirm Now to confirm your password.
- On the Confirm Your JumpCloud Password screen, enter the new password in the Current JumpCloud Password field and click Next.
- On the Almost done! Sync your keychain. screen, enter your previous JumpCloud password in the Previous JumpCloud Password field.
If you enter the previous password incorrectly or continue without entering the previous password, we will attempt to recover the password for you to keep your keychain access. If we are unable to recover this password, a new keychain will be created and any passwords saved to the old keychain will be lost.
- Click Next. A success message appears telling you that your password is up-to-date.
Syncing Your JumpCloud Password When Your Device is Offline
If your password is changed or reset when you are logged out of your device, the new password won’t yet match the one you use to log in to your device or any passwords stored in FileVault.
To sync your new JumpCloud user password with your device password:
- If FileVault is enabled, enter your FileVault password. This is the previous password used to log in to your device.
- On the next screen, you're promoted to enter your previous JumpCloud password in the Previous Password field and the new password in the Current Password field.
If you enter the previous password incorrectly or continue without entering the previous password, we will attempt to recover the password for you to keep your keychain access. If we are unable to recover this password, a new keychain will be created and any passwords saved to the old keychain will be lost.
- Click on the JumpCloud tray app icon and click Confirm Now to confirm your password.
- On the Confirm Your JumpCloud Password screen, enter the new password in the Current JumpCloud Password field and click Next.
- On the Almost done! Sync your keychain. screen, enter your previous JumpCloud password in the Previous JumpCloud Password field.
- Click Next. A success message appears telling you that your password is up-to-date.
Syncing Your Password in Active Directory or from a Temporary Password
If your password is changed by your IT Admin or you change it in Active Directory, the new password won’t match the one you use to log in to your device or any passwords stored in FileVault. You can use these steps to sync your new password with the ones used on your company’s device.
Considerations:
- If an Admin sets a temporary password, you must first sync that temporary password with your device, FileVault, and Keychain. After these are all in sync, then you can change your temporary password.
- In rare cases, you might see a confirmation that the new password is confirmed when it wasn’t. In this case, the JumpCloud menu bar app will prompt you to sync your password again. After entering your current password again, you will see a confirmation, the password changes have been synced, and the notification will disappear.
- You will be prompted to enter your previous password. You can leave this blank, but you might see one of the following responses:
- If Keychain isn’t in sync with the new password, Apple creates a new empty Keychain for you the next time you log in. You’re still able to sync your new JumpCloud password with your device and FileVault.
- If the JumpCloud Service Account isn’t present on your device, an error will appear. Contact your IT Admin.
To sync your new JumpCloud password with your device:
- In the top right corner of the menu bar, click the JumpCloud tray app icon.
- In the Current JumpCloud Password field, enter the password set by your IT Admin or the one you changed in Active Directory.
- Click Next.
- When prompted for your Previous JumpCloud Password, enter your old password or leave it blank if you don’t remember it.
- Click Next.
- You’ll receive a confirmation that your password change was successful. Your Mac password is in sync with JumpCloud, Keychain and FileVault.
Syncing Your JumpCloud Password with your Device when the JumpCloud Menu Bar App is Hidden
If the JumpCloud menu bar app is hidden, your admin has either configured an integration such as Okta, or you have Password Sync disabled for your device.
If your admin has configured an upstream integration such as Okta that syncs passwords to JumpCloud, you will be able to change your password in Okta, and then have that password synced withJumpCloud. When you change your password in Okta, JumpCloud will recognize the change and push a notification to your device to confirm the new password and sync it to the device, macOS Keychain, and store it in FileVault.
To sync your JumpCloud password with your device after changing it in an upstream integration, such as Okta:
- Change your password in the upstream integration.
- Next, restart your device so that you’re prompted to log in to the device again.
- A user log out or a long period of inactivity (like after a weekend) will prompt you to log in again as well.
- If FileVault is enabled, enter your FileVault password. This is the previous password used to log in to your device.
- On the next screen, you’ll be prompted to enter your previous password and your new password that you just changed in your IdP.
If you enter the previous password incorrectly or continue without entering the previous password, we will attempt to recover the password for you to keep your keychain access. If we are unable to recover this password, a new keychain will be created and any passwords saved to the old keychain will be lost.
- Click the arrow to log in.
- You are logged in to your device and your password is synced.
To change your password when Password Sync is disabled for your device:
- See Changing Your Device Password in the System Settings below.
- After changing your password in System Settings, there is no further action needed.
Changing Your Device Password in the System Settings
If a user changes a device password in System Settings (formerly System Preferences), their JumpCloud password will be out of sync with the device, and they will be prompted to reconcile the two passwords. This process will sync their JumpCloud password back to the device, rather than updating the JumpCloud password. They will then be able to use their JumpCloud password to log in to their device and access their JumpCloud-managed resources.
To change your device password in System Settings:
- Reference Apple’s support documentation Changing the login password on Mac.
To sync the JumpCloud password back to the device:
- Once your password is changed in the System Settings, you will receive a notification from the JumpCloud tray app prompting you to Confirm Your Password.
- Click Confirm Now.
- On the Confirm Your JumpCloud Password screen, enter the new password in the Current JumpCloud Password field.
- On the Almost done! Sync your keychain. screen, enter your previous JumpCloud password in the Previous JumpCloud Password field.
If you enter the previous password incorrectly or continue without entering the previous password, we will attempt to recover the password for you to keep your keychain access. If we are unable to recover this password, a new keychain will be created and any passwords saved to the old keychain will be lost.
- Click Next. A success message appears telling you that your password is up-to-date.
Correcting Unsynchronized JumpCloud and FileVault Passwords
When an old password grants FileVault access before the current JumpCloud password grants subsequent macOS device access, use these steps to resolve the discrepancy.
You must know both your previous password and the current password to use this procedure.
- Boot the device into Recovery Mode:
- For Intel devices, press and hold Command-R to boot the device into Recovery Mode.
- For Apple Silicon devices, follow the steps in Start up your computer in macOS Recovery.
- In Recovery Mode’s MacOS Utilities screen, click the Utilities menu in the Mac menu bar, and select Terminal.
- In Terminal mode, enter this command and then press Return: # resetpassword.
Verify that you've typed resetpassword as one word.
- The Reset Password utility launches and examines local volumes, and then displays three options. Choose My password doesn't work when logging in and click Next.
- Choose your JumpCloud user and click Next.
- Enter the current FileVault password to unlock the volume.
- Enter the current JumpCloud password in both the New password and Verify password fields and click Next.
- The macOS then prompts for a normal reboot. After the reboot, the FileVault and macOS device passwords are synchronized.