Help Center Home > Troubleshooting KB > Troubleshoot: Incomplete Agent Uninstall

Troubleshoot: Incomplete Agent Uninstall

Symptoms

The user logins fail at the User login window and screen lock, but FileVault logins proceed as usual.

Cause

This usually occurs when the device's MDM enrollment is removed prior to the complete deletion of the device record in the Admin Portal. This sequence removes Full Disk Access from the JumpCloud agent, which is required to undo custom pam.d configuration on placed on the system for our service.

When this configuration remains in place after the JumpCloud agent has been removed, all logins will fail due to the JumpCloud PAM module being required as part of the login process, but it not existing on the system.

Resolution

Modify the pam.d configuration files from macOS Recovery.

  1. Boot device in macOS recovery mode.
  2. Ensure the Macintosh HD - Data volume is mounted (you can mount it leveraging Disk Utility by selecting the volume and clicking “Mount” - a FileVault password or recovery key will be required if encrypted).
  3. Go to Utilities > Terminal
  4. Remove the jcagent configuration lines from the pam.d configuration files - run each line independently:
    • sed -i '.bak' '/jcagent/d' /Volumes/Macintosh\ HD/etc/pam.d/authorization
    • sed -i '.bak' '/jcagent/d' /Volumes/Macintosh\ HD/etc/pam.d/screensaver
    • sed -i '.bak' '/jcagent/d' /Volumes/Macintosh\ HD/etc/pam.d/screensaver_new
    • sed -i '.bak' '/jcagent/d' /Volumes/Macintosh\ HD/etc/pam.d/screensaver_ls
    • sed -i '.bak' '/jcagent/d' /Volumes/Macintosh\ HD/etc/pam.d/screensaver_new_ls
  5. Restart the system and log in to verify fix. Logins should proceed correctly now.

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case