̽»¨´óÉñ

Starting with macOS Monterey, Apple has made a change that affects ̽»¨´óÉñ and ̽»¨´óÉñ IT Admins. Apple now restricts the /etc/pam.d/ directory on macOS Monterey and newer devices, and requires that any process that wants to edit the files in this directory have user consent, or consent supplied by their admin through an MDM profile.

The files in the /etc/pam.d/ directory control a part of the macOS authentication system called pluggable authentication modules. ̽»¨´óÉñ’s login window mechanism is an example of a pluggable authentication module. The ̽»¨´óÉñ agent edits the authorization and screensaver settings files to use the ̽»¨´óÉñ authentication module, which allows your user passwords to be synced to the machine. 

Preparing for this Change

• If you are using ̽»¨´óÉñ’s MDM with your macOS Devices - ̽»¨´óÉñ now grants SystemPolicyAllFiles to our agent and supporting processes on the device as part of enrollment in the MDM, and you do not need to make any changes. This allows existing devices that are updated to Monterey to continue to check in.
• If you are setting up ̽»¨´óÉñ using Device Enrollment or Automated Device Enrollment with another MDM (such as Jamf Pro's Prestage Enrollment method) and Zero-Touch Onboarding - You'll also need to update the enrollment configuration to have access. For instructions, see the procedure below. For more detail on ̽»¨´óÉñ's MDM Prestage User Enrollment, see .
• If you are using ̽»¨´óÉñ with another MDM, such as Jamf Pro, Kandji, Mosyle, or SimpleMDM - You will need to either manually grant the agent permissions, or download the  preconfigured profile for use with your MDM to grant the appropriate permissions to our software. See To grant permissions for a non-̽»¨´óÉñ MDM.
• If none of your macOS devices are enrolled in MDM -  Starting with macOS Monterey, you will need to give the ̽»¨´óÉñ agent Full Disk Access permission to enable our agent to communicate with the authentication controls on the system. See To grant permissions for a device that is not enrolled in MDM.

Granting Permissions for a Non-̽»¨´óÉñ MDM

To grant permissions for a non-̽»¨´óÉñ MDM:

A custom profile is required for Steps 1-2 and is attached to this article.

1. Download the profile file from this article. It's located on the right side of this page under In this Article.
2. Follow the instructions for your MDM to install this custom profile.
3. Alternatively, if you’d rather use a Privacy Preferences Policy Control policy directly inside your MDM, you can grant the required privileges for the jumpcloud-agent:
   1. Set the path for the policy to /opt/jc/bin/jumpcloud-agent.
   2. Set the privilege to SystemPolicySysAdminFiles or SystemPolicyAllFiles.
   3. Change the code requirements to:

4. You’ll need to grant the required privileges for the jumpcloud-agent updater:
   1. Set the path for the policy to /opt/jc/bin/jumpcloud-agent-updater.
   2. Set the privilege to SystemPolicySysAdminFiles or SystemPolicyAllFiles.
   3. Change the code requirements to: