- macOS 10.13.5 and above
- FileVault enabled users
# sysadminctl interactive -secureTokenStatus SECURETOKEN_ADMIN_USERNAME # Secure token is ENABLED for user SECURETOKEN USERNote this command can be run using the JumpCloud agent and this command is available for import using the JumpCloud PowerShell module.
Once the user has been verified that Secure token is enabled, the agent can be installed using either the manual install method or the CLI method. The manual method will contain the same steps as the installer without this option, and also ask for the credentials of the Secure token admin user verified above. This process will create user '_jumpcloudserviceaccount' which is leveraged by the agent to manage FileVault access for any JumpCloud managed users on the system.
Existing systems that are upgraded to version 0.9.684 or above can enable this new functionality by reinstalling the agent over the top of the existing install using either of the methods described for a new installation. When reinstalling, the GUI will not prompt for the connect key.
This upgrade can be completed using a JumpCloud command. An example command is available for import using the JumpCloud PowerShell module to complete this agent reinstall.
Post installation, the presence of the service account can be verified by running verify_serviceaccount.sh.
This command is also available for import in the JumpCloud Commands Gallery.
- The service account will appear in the list of users on the Filevault decryption screen on boot.
- The service account will NOT appear on the main login window or show in the list of users in System Preferences > Users & Groups
- New users bound to this type of system will need to log in once to be added to FileVault and allowed to decrypt the system
- Existing users that JumpCloud has taken over and do not have Secure token enabled will need log out and log in to be added to FileVault and allowed to decrypt the system
- Password reset behavior for JumpCloud managed users is the same as other versions of macOS with FileVault enabled
- When the JumpCloud agent is uninstalled, the JumpCloud service account will be removed.