The authchanger binary can be used to manipulate the authentication database used by the loginwindow application. Functions include the following:

  • Determines the order of mechanism execution

  • Enable Jamf Connect Login for Okta or OpenID Connect (OIDC) identity providers (IdPs)

  • Reset the database to the default state

  • Run a single Jamf Connect Login mechanism during the loginwindow process

authchanger is installed by the Jamf Connect Login installation package in the following location:


Then, it is used by the post-installscript in the package to set up the database for authentication. This tool must run as root.

Note: Use the -reset command before making changes to ensure the authentication database is in its default setting.


The following authchanger commands can be used:




Lists the version number


Lists the help statement


Resets the authentication database to macOS default settings


Enables Jamf Connect Login with Okta


Enables Jamf Connect Login with OpenID Connect IdPs


Lists the current authorization mechanisms


Lists any changes and their possible outcomes


Enables Jamf Connect authentication to be used for sudo and other system preference changes.

You can also specify custom rules:




Specifies the mechanism to be used before the UI displays


Specifies the mechanism to be used between the login UI and authentication


Specifies the mechanism to be used after authentication


Consider the following commonly used authchanger commands:



sudo authchanger -print

Read the Authorization Database

Displays the current authorization database settings.

sudo authchanger -reset -OIDC

Disable Jamf Connect Authentication

Ensures the authorization database is reset to factory defaults, and then enables Jamf Connect Login with OpenID Connect IdPs with the loginwindow.

sudo authchanger -reset -preAuth JamfConnectLogin:DeMobilize,privileged

Run a Single Jamf Connect Login Mechanism

You can configure Jamf Connect Login to run a single login mechanism. This example only runs the "Demobilize" mechanism during the loginwindow process. This allows users to login to using the default macOS login window while Jamf Connect converts the mobile account into a local account on the Mac in the background.

Related Information

For related information about adding non-default mechanisms to Jamf Connect Login, see Additional Login Settings.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.