Manage MacOS Passwords

After you use JumpCloud to encrypt a system, enforce Multi-factor Authentication (MFA), require strong passwords, and scan continuously for malware threats, you want employees to manage their identities and passwords in this well-fortified environment.

There are four passwords on your macOS device that must be kept in sync:

1. JumpCloud user password – Used to log in to your JumpCloud User Portal.
2. FileVault (if enabled) -Used to unlock FileVault when your device is started up. In most scenarios, the FileVault password and the device password are the same, but they should be understood as distinctly different.
3. Device password – Used to log in to your device after FileVault is unlocked.
4. MacOS Keychain – Used to access passwords, logins, secure notes, etc. that you have saved on your Mac.

JumpCloud IdentityOS® makes it simple to keep these distinct passwords synchronized and prevent lockouts.

Changing Your User Password

You can change your user password in three places:

• JumpCloud Menu Bar App (recommended)
• User Portal
• System Settings (least recommended)

Considerations

• The JumpCloud passwords you create must adhere to the complexity settings your organization requires for user account passwords. You’ll get an error if you attempt to create a non-compliant password. 
• Your password also has to adhere to the password complexity settings of the applications you log in to using JumpCloud. If you need help determining the password complexity settings of the applications you use, ask your IT Admin.
• If your account gives you access to SSO applications, it may take several minutes for your password to update for your SSO applications after you change it in JumpCloud.
• Note that when you change your password, any active sessions (User Portal, SSO applications, etc.) will be terminated.

Changing Your Password With the JumpCloud Menu Bar App

On macOS devices, the JumpCloud menu bar app delivers a convenient method for you to change or sync your JumpCloud IdentityOS® password.

To change your JumpCloud password in the JumpCloud menu bar app:

1. Click the JumpCloud logo in the menu bar to open the JumpCloud menu bar app.
2. Hover over the Your computer password is up-to-date message, then click Reset Password.
3. In the JumpCloud Password field, enter your current JumpCloud user password.
4. In the New Password field, enter your new JumpCloud user password.
5. In the Confirm Password field, enter your new JumpCloud user password again.
6. If your organization requires an Authentication Method, enter your TOTP from your authentication app or accept the login push request on your mobile device. 
7. Click Save.

After the JumpCloud menu bar app saves your passwords, JumpCloud updates the FileVault and Keychain accordingly.

Changing Your Password in the User Portal

To change your JumpCloud password in the User Portal:

1. Log in to the JumpCloud User Portal: https://console.jumpcloud.com/login.
2. Go to Security.
3. Under Password, click Reset Password.
   
4. To update your password, enter your current password, your new password, and your new password again. Password complexity requirements are determined by your IT Admin. If you forget your password, you can also request a password reset by clicking Reset User Password on the User Portal login screen.
   
5. Click Update Password.
6. Follow the instructions in Syncing Your JumpCloud Password with Your Device Password below to update your password in the menu bar app.

Changing Your Password in the System Settings

If a user changes a device password in System Settings (formerly System Preferences), their JumpCloud password will be out of sync with the device, and they will be prompted to reconcile the two passwords. This process will sync their JumpCloud password back to the device, rather than updating the JumpCloud password. They will then be able to use their JumpCloud password to log in to their device and access their JumpCloud-managed resources.

To sync the JumpCloud password back to the device:

1. Click the “Confirm Your Password” notification.
   
2. Click Confirm Now in the dialog window.
   
3. Enter your current JumpCloud user password in the Current JumpCloud Password field and click Next.
   
4. Enter the device password that you just updated in System Settings in the Current Device Password field and click Next.
   

5. A success dialog confirms that your JumpCloud password has been synced to the device. You will now use your JumpCloud password to access your device and JumpCloud-managed resources.

Syncing Your JumpCloud Password with Your Device Password

If your password has changed outside of the JumpCloud menu bar app (such as by an Admin reset), you must synchronize your password in the menu bar app. 

The menu bar app prompts you to confirm the password changes.


You can wait for the prompt or use these steps to synchronize your new JumpCloud password with the one used to access your company's device. The process you choose varies depending on where you changed your password.

Syncing Your Password In the User Portal When Your Device is Online

If you change your password in the JumpCloud User Portal, the password won't match the one you use to log in to your device.

To sync your new JumpCloud user password with your device:

1. In the menu bar, click the JumpCloud icon.
   
2. Click Confirm Now.
   
3. Confirm the new password by entering the one you’ve just set in the User Portal.
4. Click Next.
5. Enter the password you use to log into your device in Current Device Password, or leave it blank if you don’t remember it.
   

6. Click Next.
7. After your updated JumpCloud user and device passwords are confirmed, your JumpCloud account, User Portal credentials, Mac device, and FileVault passwords are all in sync.
   

Syncing Your Password in the User Portal When Your Device is Offline

If you change your password in the JumpCloud User Portal from another device while your JumpCloud-managed device is offline, the new password won’t match the one you use to log in to your device or any passwords stored in FileVault.

To sync your new JumpCloud user password with your device:

1. When your device is online again, log in with your new JumpCloud credentials.
2. If FileVault is enabled, enter your FileVault password. This is your previous password. When the password is verified, the system is decrypted.
3. In the menu bar, click the JumpCloud icon.
4. Confirm the new password by entering the one you’ve just set in the User Portal.
5. The JumpCloud menu bar app asks you to confirm your new password to ensure that the KeyChain, FileVault, and JumpCloud account passwords are in sync.

Syncing Your Password in Active Directory or from a Temporary Password

If your password is changed by your IT Admin or you change it in Active Directory, the new password won’t match the one you use to log in to your device or any passwords stored in FileVault. You can use these steps to synchronize your new password with the ones used on your company’s device.

Considerations

• If an Admin sets a temporary password, you must first sync that temporary password with your device, FileVault, and Keychain. After these are all in sync, you can change your temporary password.
• In rare cases, you see a confirmation that the new password is confirmed when it wasn’t. In this case, the menu bar app prompts you to sync your password again. After entering your current password again, you see a confirmation, the password changes have been synchronized, and the notification disappears.
• You are asked to enter your old (previous) password. You can leave this blank, but you might see one of the following responses:
  • If Keychain isn’t in sync with the new password, Apple creates a new Keychain for you the next time you log in. You are still able to sync your new JumpCloud password with your system and FileVault.
  • If the JumpCloud Service Account isn’t present on your device, an error appears. Contact your IT Admin.

To sync your new JumpCloud password with your device:

1. In the menu bar, click the JumpCloud icon.
2. In the Recently Updated JumpCloud Password field, enter the password set by your IT Admin or the one you set in Active Directory.
3. Click Next.
4. When prompted for your Current Device Password, enter your device password or leave it blank if you don’t remember it.
5. Click Next.
6. Confirmation that your password change is successful appears. Your Mac password is in sync with JumpCloud as well as with Keychain and FileVault.

Correcting Unsynchronized JumpCloud and FileVault Passwords

When an old password grants FileVault access before the current JumpCloud password grants subsequent macOS device access, use these steps to resolve the discrepancy.

1. Boot the device into Recovery Mode:
   • For Intel devices, press and hold Command-R to boot the device into Recovery Mode.
   • For Apple Silicon devices, follow the steps in Start up your computer in macOS Recovery.
2. In Recovery Mode’s MacOS Utilities screen, click the Utilities menu in the Mac menu bar, and select Terminal.
3. In Terminal mode, enter this command and then press Return: # resetpassword.

4. The Reset Password utility launches and examines local volumes, and then displays three options. Choose My password doesn’t work when logging in and click Next.
5. Choose your JumpCloud user and click Next.
6. Enter the current FileVault password to unlock the volume.
7. Enter the current JumpCloud password in both the New password and Verify password fields and click Next.
8. The macOS then prompts for a normal reboot. After the reboot, the FileVault and macOS device passwords are synchronized.