{"id":75247,"date":"2023-06-05T13:09:26","date_gmt":"2023-06-05T17:09:26","guid":{"rendered":"https:\/\/jumpcloud.com\/?post_type=support&p=75247"},"modified":"2024-01-30T15:56:16","modified_gmt":"2024-01-30T20:56:16","slug":"use-best-practices-for-macos-accounts","status":"publish","type":"support","link":"https:\/\/jumpcloud.com\/support\/use-best-practices-for-macos-accounts","title":{"rendered":"Best Practices for MacOS Accounts"},"content":{"rendered":"\n

There are different types of accounts and services that are a part of the authentication and authorization process on a Mac. Each of these accounts and services originate from the way that macOS works with local user account management. Leverage these best practices for account management on macOS with JumpCloud. Learn how to create an account for macOS, take over existing accounts, and more. <\/p>\n\n\n\n

Terminology, Definitions, and Services<\/h2>\n\n\n\n
\n
\n \n\n \n \n \n \n \n
\n Term <\/th>\n \n Definition & Service <\/th>\n <\/tr>\n
\n Login Password (or User Password) <\/td>\n \n
\n
    \n
  1. This is the primary credential that is linked with your keychain and FileVault (if enabled).<\/li>\n
  2. This password is used to log in to your local user account in macOS. <\/li>\n<\/ol>\n<\/div> <\/td>\n <\/tr>\n
\n Bootstrap Token <\/td>\n \n
\n
    \n
  1. \n

    Bootstrap Tokens grant a secure token to mobile or MDM admin accounts.<\/p>\n<\/li>\n

  2. \n

    These won't be created automatically if the first user created is a standard user during MDM enrollment, or if local account creation is skipped entirely.<\/p>\n<\/li>\n

  3. \n

    Only available after MDM enrollment (JumpCloud MDM currently doesn't use this feature).<\/p>\n<\/li>\n<\/ol>\n<\/div> <\/td>\n <\/tr>\n

\n Keychain <\/td>\n \n
\n
    \n
  1. Keychains are linked to the user when the user is created.<\/li>\n
  2. Shares password with user account.<\/li>\n
  3. Keychain password is only available to the user, and not the administrator.<\/li>\n
  4. If the keychain password is lost, the user loses access to that keychain, and a new keychain is created.<\/li>\n
  5. Keychain passwords can become out of sync two different ways:\n
      \n
    • User login password change outside the Mac. For example, an Active Directory (AD) password change done in AD outside of macOS.<\/li>\n
    • User login password reset executed by an administrator on device. <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<\/div> <\/td>\n <\/tr>\n
\n FileVault (FV) <\/td>\n \n
\n
    \n
  1. FileVault is the service that encrypts disks in macOS using an encryption key.<\/li>\n
  2. Shares password with the administrator account that enabled it.<\/li>\n
  3. This key can become out of sync if the following occurs:
    \n