JumpCloud macOS users with a Mac system with an Apple Silicon processor can now reset the JumpCloud IdentityOS® password when the device is using FileVault 2 Full Disk Encryption using RecoveryOS. Previously, users on these devices were locked out because the devices do not prompt for the FileVault recovery key, and instead display a prompt to reboot into RecoveryOS.
At the FileVault login screen, users can choose to restart and show password reset options. When the system is booted into RecoveryOS, the user is required to enter the FileVault 2 recovery key to unlock the disk. After the disk is unlocked using the FileVault 2 Personal Recovery Key, the user can reset the JumpCloud IdentityOS password to a new value. This new password will work at the FileVault 2 boot screen and will unlock the disk to allow the boot process to continue.
Users who have forgotten their password or changed their password outside of the JumpCloud menu bar app and can't log into their device can press Option + Shift + Return simultaneously at the FileVault login screen and enter the Recovery Key to unlock their device. Subsequently, they'll be able to log in with the temporary password or their updated password.
After the device has booted, the user enters the previous password and the new password at the JumpCloud login screen. The previous password is the password the user just entered during RecoveryOS, and the new password is the authoritative JumpCloud IdentityOS login password. If their JumpCloud login password has changed since the last successful login--reset by an administrator, so that the user would know it, for example--the user’s keychain is regenerated on login.
JumpCloud implemented a workaround that disables password change blocking by default on Apple Silicon devices, so that an IT Admin cannot enforce blocking local password changes on these devices. The BlockPwChangePolicy was previously set by the JumpCloud agent in Apple’s Open Directory LDAP service for each managed user. This is the setting that prevented the user from resetting the password at the FileVault login screen.
Disabling the BlockPwChangePolicy setting lets the user update or change a local password, which requires the user to re-sync the JumpCloud password after moving past the FileVault screen.
If your user resets the password using System Settings, the JumpCloud password is not changed. This results in an out-of-sync event between the user’s local login password and the JumpCloud IdentityOS password. The JumpCloud menu bar app will prompt the user to fix the problem during the current login session:
The user enters the JumpCloud password at the next screen, and then enters the current login password at the second screen:
After the user clicks Next, the local login password is changed to the JumpCloud IdentityOS password and the keychain is reconciled.
Alternatively, on the next restart, the JumpCloud login screen will reconcile the password issue.