Legacy RADIUS server IPs will be deprecated on Dec 17, 2018. Please see this KB for more info.

Support Center

Managing users with High Sierra, FileVault, and APFS

In order for JumpCloud to manage users on systems where the following are true:
  • macOS 10.13 and above
  • FileVault enabled users
  • APFS
It's necessary to provide during the JumpCloud agent installation credentials for a natively created Admin account with Secure token ENABLED. A Secure token is granted to the first user to log in to a system created by the Setup Assistant. To check the Secure token status of this user, in Terminal, run:
# sysadminctl interactive -secureTokenStatus SECURETOKEN_ADMIN_USERNAME
# Secure token is ENABLED for user SECURETOKEN USER
Note this command can be run using the JumpCloud agent and this command is available for import using the JumpCloud PowerShell module. 

Once the user has been verified that Secure token is enabled, the agent can be installed using either the manual install method or the CLI method. The manual method will contain the same steps as the installer without this option, and also ask for the credentials of the Secure token admin user verified above. This process will create user '_jumpcloudserviceaccount' which is leveraged by the agent to manage FileVault access for any JumpCloud managed users on the system.

Existing systems that are upgraded to version 0.9.684 or above can enable this new functionality by reinstalling the agent over the top of the existing install using either of the methods described for a new installation. When reinstalling, the GUI will not prompt for the connect key.

This upgrade can be completed using a JumpCloud command. An example command is available for import using the JumpCloud PowerShell module to complete this agent reinstall.

Post installation, the presence of the service account can be verified by running verify_serviceaccount.sh.
This command is also available for import in the JumpCloud Commands Gallery. 

Expected behavior:
  • The service account will appear in the list of users on the Filevault decryption screen on boot. 
  • The service account will NOT appear on the main login window or show in the list of users in System Preferences > Users & Groups
  • New users bound to this type of system will need to log in once to be added to FileVault and allowed to decrypt the system
  • Existing users that JumpCloud has taken over and do not have Secure token enabled will need log out and log in to be added to FileVault and allowed to decrypt the system
  • Password reset behavior for JumpCloud managed users is the same as other versions of macOS with FileVault enabled 
  • When the JumpCloud agent is uninstalled, the JumpCloud service account will be removed. 

 
 

Last Updated: Sep 13, 2018 11:25AM MDT

Related Articles
31b11a79e2c94470a66430cfe6d3eecd@jumpcloud.desk-mail.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete