Support Center

Managing users with High Sierra and above, FileVault, and APFS

In order for JumpCloud to manage users on systems where the following are true:
  • macOS 10.13.5 and above
  • FileVault enabled users
  • APFS
It's necessary to provide during the JumpCloud agent installation credentials for a natively created Admin account with Secure token ENABLED. A Secure token is granted to the first user to log in to a system created by the Setup Assistant. To check the Secure token status of this user, in Terminal, run:
# sysadminctl interactive -secureTokenStatus SECURETOKEN_ADMIN_USERNAME
# Secure token is ENABLED for user SECURETOKEN USER
Note this command can be run using the JumpCloud agent and this command is available for import using the JumpCloud PowerShell module. 

Once the user has been verified that Secure token is enabled, the agent can be installed using either the manual install method or the CLI method. The manual method will contain the same steps as the installer without this option, and also ask for the credentials of the Secure token admin user verified above. This process will create user '_jumpcloudserviceaccount' which is leveraged by the agent to manage FileVault access for any JumpCloud managed users on the system.

Existing systems that are upgraded to version 0.9.684 or above can enable this new functionality by reinstalling the agent over the top of the existing install using either of the methods described for a new installation. When reinstalling, the GUI will not prompt for the connect key.

This upgrade can be completed using a JumpCloud command. An example command is available for import using the JumpCloud PowerShell module to complete this agent reinstall.

Post installation, the presence of the service account can be verified by running
This command is also available for import in the JumpCloud Commands Gallery. 

Expected behavior:
  • The service account will appear in the list of users on the Filevault decryption screen on boot. 
  • The service account will NOT appear on the main login window or show in the list of users in System Preferences > Users & Groups
  • New users bound to this type of system will need to log in once to be added to FileVault and allowed to decrypt the system
  • Existing users that JumpCloud has taken over and do not have Secure token enabled will need log out and log in to be added to FileVault and allowed to decrypt the system
  • Password reset behavior for JumpCloud managed users is the same as other versions of macOS with FileVault enabled 
  • When the JumpCloud agent is uninstalled, the JumpCloud service account will be removed. 


Last Updated: Jul 25, 2019 11:50AM MDT

Related Articles
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found