Jamf Unlock Overview

Jamf Unlock is a mobile app that enables users unlocking their Mac without using a password. With Jamf Unlock, users complete a setup process to generate identity credentials (a certificate) on their mobile device and pair the device with their Mac. Once complete, users can use the app to authenticate in the following scenarios:

  • Logging into a Mac computer
  • Changing settings in System Preferences
  • Installing software updates
  • Executing commands with root privileges using the sudo command

IT administrators can use Jamf Pro to customize the look and feel of the app, configure authentication settings via managed app configuration, and deploy the app to users for passwordless authentication.

General Requirements

To use Jamf Unlock in your environment, you need the following:

  • A Jamf Connect subscription and the Jamf Connect menu bar app installed on computers.

    Note:

    You must also include the Enable Unlock (EnableUnlock) setting in your menu bar app configuration profile. For more information, see Enabling Jamf Unlock on Computers.

  • An MDM solution, such as Jamf Pro

  • Managed mobile devices with the following:

    • iOS 15 or iPadOS 15 or later that are connected to the internet

    • A passcode and Face ID or Touch ID enabled

  • Managed computers with the following:

    • macOS 11 or later

    • The Jamf Connect menu bar app installed

  • A local account with administrator privileges

  • An OpenID Connect app integration in your cloud identity provider

    Note:

    If you already deployed the menu bar app in your environment, you can use an existing app integration in your IdP for the menu bar app by adding an additional Redirect URI for Jamf Unlock. If you use Okta and its authentication API with the menu bar app, you must create a new app integration for Jamf Unlock to support the OpenID Connect authentication protocol. See Jamf Connect Identity Provider Integrations for more information.

Jamf Unlock at the macOS Login Window

You can allow users to use the Jamf Unlock app to log in via Apple's native macOS login window.

When enabled, users have the option to use Jamf Unlock authentication rather than entering their local password by using the Enable Jamf Unlock switch at the top of the login window.

  • By default, Jamf Unlock authentication is only available after logout and is skipped after restart. To use Jamf Unlock authentication after a full restart, you must disable Apple's automatic FileVault login setting on computers. For more information, see FileVault Enablement with Jamf Connect.

  • Make sure the EnableUnlock setting is also enabled in the Unlock dictionary of your Jamf Connect menu bar configuration profile.

  • During the first login attempt, users may need to enter their password to allow macOS to use the "login" keychain.

  • The Jamf Connect login screen cannot be used with Jamf Unlock authentication, to use Jamf Unlock authentication, make sure the Jamf Connect login window is disabled by executing sudo authchanger -reset.

  • If four or more local user accounts are on a computer, the user icons that display in the macOS login window may not be centered on the screen.