Apple’s new operating system, macOS Monterey, is due for release in October. Along with all the usability and feature changes come changes to the underpinnings of macOS. Apple continues to increase security of their operating system and, while this is desirable, it also poses some unique challenges for developers and integrators.
The most impactful security change for IT Admins in Monterey is a set of new restrictions that Apple has implemented around access to the Pluggable Authentication Module (PAM) directory located at /etc/pam.d. JumpCloud’s ability to sync your user password to the computer at the login window is an example of a PAM. With macOS Monterey, Apple will require that any process (such as our login mechanism) which requires access to the directory /etc/pam.d/ has the consent of an admin user on the system. Alternatively, consent may be granted by an admin through an MDM profile.
This may mean you have some necessary actions to take to preserve some core JumpCloud functionality before your end users update to the latest OS. First and foremost, until you have prepared for this, it is recommended that you configure the Block Monterey Installation policy in JumpCloud so that your users don’t jump the gun.
As an IT professional, you fall into one of these three camps: a) you are using JumpCloud MDM to manage your Mac fleet, b) you are using a third party MDM, or c) you aren’t using any MDM for Mac management. Below are the steps you can follow to ensure the above functionality is preserved:
If you are using JumpCloud as your MDM, you are all set to go. The agent will update in preparation for the impending OS release and that will include granting the permissions necessary to carry out the consent. You won’t have to do a thing. If you have a new install, we will deploy an MDM profile to grant access to the directory at the time of enrollment.
Third Party MDM
If, however, you are integrating JumpCloud with a separate MDM provider, you will need to manage this event (Read more…)