{"id":75404,"date":"2023-06-05T13:09:31","date_gmt":"2023-06-05T17:09:31","guid":{"rendered":"https:\/\/jumpcloud.com\/?post_type=support&p=75404"},"modified":"2024-01-30T15:56:57","modified_gmt":"2024-01-30T20:56:57","slug":"install-and-use-the-service-account-for-macos","status":"publish","type":"support","link":"https:\/\/jumpcloud.com\/support\/install-and-use-the-service-account-for-macos","title":{"rendered":"Install and Use the Service Account for MacOS"},"content":{"rendered":"\n

JumpCloud leverages a service account to ensure that JumpCloud-managed users on macOS devices can unlock FileVault encryption. Before JumpCloud can provide FileVault access to JumpCloud-managed users, the JumpCloud Service Account must be created to provide its crucial function of granting new users secure tokens. This service account is created during the JumpCloud’s agent installation process, or may be automatically installed at user login.<\/p>\n\n\n\n

Understanding Secure Tokens<\/h2>\n\n\n\n

Apple File Systems (APFS) in macOS 10.13 changed the way Apple manages FileVault encryption keys. To secure and provide access to encryption keys, which are required for FileVault decryption, Apple introduced secure tokens<\/a>.<\/p>\n\n\n\n

Secure tokens are granted to the macOS users who create a local account using Apple’s Setup Assistant for the first administrative user, and then subsequently through Apple’s Users & Groups<\/strong> pane in System Settings<\/strong>. Apple’s Deployment Reference for Mac<\/a> describes additional methods in which a system account may be granted a secure token. Users with a secure token may enable and manage FileVault on a macOS system, and users created by these users are also given secure tokens via a chain of trust methodology.<\/p>\n\n\n\n

Using the JumpCloud Service Account<\/h2>\n\n\n\n

The JumpCloud Service Account is installed as a system account whose sole purpose is the management of secure tokens for JumpCloud-managed accounts. As a service account, its context is to provide security-level services to other user accounts managed by JumpCloud, and it can’t be logged in to by other users \u2014 the JumpCloud Service Account doesn’t have an accessible password or valid home directory.<\/p>\n\n\n\n

The JumpCloud Service Account is configured through the JumpCloud Service Account Utility. The JumpCloud Service Account Utility will launch automatically after MDM-driven enrollments, and can also be launched manually from the \/Applications folder on the user\u2019s device. The app will only successfully open if it doesn\u2019t detect a service account on the device. If the user tries to launch it while a service account is present, the JumpCloud Service Account Utility will not launch.<\/p>\n\n\n\n

This service account is also used to rotate the FileVault Recovery Key when using FileVault 2. See Create a Mac FileVault 2 Policy<\/a>. Additionally, JumpCloud provides Recovery Key escrow through MDM.<\/p>\n\n\n\n

Expected Behavior<\/h3>\n\n\n\n