Understand Mac Keychain Access

MacOS Keychain Application Access is a unique feature for macOS devices using Device Trust. When some SSO-enabled applications on macOS devices attempt to authenticate users via JumpCloud, they don’t open a browser window to do so. Instead, they present the website in-app, and the app can’t be added to the Device Trust certificate used to authenticate because the device authorizes only supported browsers (Safari, Chrome) access to the Device Trust private key. This results in the user's device prompting the user for the keychain password when accessing the app, which can cause confusion. When you encounter apps that cause these prompts to appear on macOS devices, you can add these apps as trusted so that your users aren't prompted.

Prerequisites

  • This procedures applies only to macOS devices.
  • Global Certificate Distribution must be enabled on the Conditional Access Policies Settings page. See Manage Device Trust Certificates. Global Certificate Distribution can also be enabled when configuring a policy.

Granting MacOS Keychain App Access

When you turn Global Certificate Distribution ON, a default list of JumpCloud's preconfigured trusted applications is added to MacOS Keychain Application Access. The user’s device will renew its Device Trust certificates, and when the device imports a certificate’s private key, it will add these applications as trusted apps. The default list includes common applications that cause the password prompt issue, such as Keeper Password Manager, ZScaler, and Microsoft 365 applications.

JumpCloud cannot predict every application that will send keychain access prompts outside of this common list. For this reason, you can configure additional trusted applications.

To grant MacOS Keychain Application Access:

  1. Log in to the Admin Portal: https://console.jumpcloud.com/login.
  2. Go to SECURITY MANAGEMENT > Conditional Policies.
  3. Click Settings to the right of the policies. You can also click Edit in Settings under Global Policies.
  4. Ensure the Global Certificate Distribution toggle is ON. JumpCloud’s recommended applications are automatically added to the Device Trust certificate as trusted apps. The apps appear in the trusted app list, along with JumpCloud Trusted as the Source.
  5. Confirm that the user-agent has correctly installed certs and authorized all of the displayed apps to access the private key, users can launch Keychain Access on their device and click the jumpcloud-device-trust-keychain-db entry under Custom Keychains.
  6. Double-click the Imported Private Key to open the dialog, and click the Access Control tab to see the list of authorized applications on the device.

Adding a New Trust Application

To add a new trusted application:

  1. Log in to the Admin Portal: https://console.jumpcloud.com/login.
  2. Go to SECURITY MANAGEMENT > Conditional Policies.
  3. Click Settings.
  4. Above the MacOS Keychain Application Access list, click (+).
  5. Enter the Name of the application you want to authorize. This must match the name of the application exactly as it is installed on the user’s device for the JumpCloud agent to be able to authenticate the application.
  6. (Optional) Specify a filepath as an Additional Search Location to permit the agent to search for the application.

Tip:

This is useful if you know that an app isn’t installed in the user’s or device’s applications folders. The agent will search for the application in this location before attempting to search the user’s or device’s application directories.

  1. Click create custom trusted app. The application is added to the list of trusted applications, along with Custom as the Source.

Editing a Trusted Application

To edit an existing trusted application:

  1. Log in to the Admin Portal: https://console.jumpcloud.com/login.
  2. Go to SECURITY MANAGEMENT > Conditional Policies.
  3. Click Settings.
  4. In the list, click the arrow that corresponds to the application you want to modify. From the aside, you can edit the trusted application details or click Remove Authorization to remove the application as a trusted configuration. 
  5. Click update trusted app.

Removing a Trusted Application

To remove an existing trusted application:

  1. Log in to the Admin Portal: https://console.jumpcloud.com/login.
  2. Go to SECURITY MANAGEMENT > Conditional Policies.
  3. Click Settings.
  4. In the MacOS Keychain Application Access list, select the checkbox next to the name of the application you want to remove as trusted. You can select multiple applications for bulk removal from the list.
  5. Click delete. Deleting a trusted app does not remove the application from the user’s device.

Restoring the Default Configuration

To restore the default configuration:

  1. Log in to the Admin Portal: https://console.jumpcloud.com/login.
  2. Go to SECURITY MANAGEMENT > Conditional Policies.
  3. Click Settings.
  4. Click Restore Defaults
  5. Click Reset. Any custom trusted application configurations are removed and JumpCloud’s default trusted applications are restored.
Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case