{"id":75404,"date":"2023-06-05T13:09:31","date_gmt":"2023-06-05T17:09:31","guid":{"rendered":"https:\/\/jumpcloud.com\/?post_type=support&p=75404"},"modified":"2024-01-30T15:56:57","modified_gmt":"2024-01-30T20:56:57","slug":"install-and-use-the-service-account-for-macos","status":"publish","type":"support","link":"https:\/\/jumpcloud.com\/support\/install-and-use-the-service-account-for-macos","title":{"rendered":"Install and Use the Service Account for MacOS"},"content":{"rendered":"\n
JumpCloud leverages a service account to ensure that JumpCloud-managed users on macOS devices can unlock FileVault encryption. Before JumpCloud can provide FileVault access to JumpCloud-managed users, the JumpCloud Service Account must be created to provide its crucial function of granting new users secure tokens. This service account is created during the JumpCloud’s agent installation process, or may be automatically installed at user login.<\/p>\n\n\n\n
Apple File Systems (APFS) in macOS 10.13 changed the way Apple manages FileVault encryption keys. To secure and provide access to encryption keys, which are required for FileVault decryption, Apple introduced secure tokens<\/a>.<\/p>\n\n\n\n Secure tokens are granted to the macOS users who create a local account using Apple’s Setup Assistant for the first administrative user, and then subsequently through Apple’s Users & Groups<\/strong> pane in System Settings<\/strong>. Apple’s Deployment Reference for Mac<\/a> describes additional methods in which a system account may be granted a secure token. Users with a secure token may enable and manage FileVault on a macOS system, and users created by these users are also given secure tokens via a chain of trust methodology.<\/p>\n\n\n\n The JumpCloud Service Account is installed as a system account whose sole purpose is the management of secure tokens for JumpCloud-managed accounts. As a service account, its context is to provide security-level services to other user accounts managed by JumpCloud, and it can’t be logged in to by other users \u2014 the JumpCloud Service Account doesn’t have an accessible password or valid home directory.<\/p>\n\n\n\n The JumpCloud Service Account is configured through the JumpCloud Service Account Utility. The JumpCloud Service Account Utility will launch automatically after MDM-driven enrollments, and can also be launched manually from the \/Applications folder on the user\u2019s device. The app will only successfully open if it doesn\u2019t detect a service account on the device. If the user tries to launch it while a service account is present, the JumpCloud Service Account Utility will not launch.<\/p>\n\n\n\n This service account is also used to rotate the FileVault Recovery Key when using FileVault 2. See Create a Mac FileVault 2 Policy<\/a>. Additionally, JumpCloud provides Recovery Key escrow through MDM.<\/p>\n\n\n\n The Service Account can be installed automatically<\/a> by JumpCloud or manually<\/a> by administrators. <\/p>\n\n\n\n JumpCloud automatically installs a service account when an administrator-level user logs in to the Mac device. During login, the JumpCloud Agent silently verifies that a service account exists. If one does, no action is taken. If not, the JumpCloud Agent uses the credentials of the logged-in user to instantiate it. These credentials are not stored anywhere on the device in plain text. They are securely captured during the login process and passed directly to the agent. <\/p>\n\n\n\n For JumpCloud to be able to automatically install the service account at login, the following is required:<\/p>\n\n\n\nUsing the JumpCloud Service Account<\/h2>\n\n\n\n
Expected Behavior<\/h3>\n\n\n\n
\n
Installing the JumpCloud Service Account<\/h2>\n\n\n\n
Installing Automatically<\/h3>\n\n\n\n
\n
Installing Manually Using the Service Account Utility<\/h3>\n\n\n\n