Jamf Unlock Overview

Overview

Jamf Unlock is a mobile device app that allows a user to unlock their Mac with a mobile device without using a password. With Jamf Unlock, users complete a setup process to create or generate identity credentials (certificate) on their device, which pairs and establishes trust with a Mac. When setup is complete, users can easily use the app as a passwordless authentication method in the following scenarios:

  • Logging into a Mac computer
  • Prompts to change settings in System Preferences or install software updates
  • Commands executed with root privileges with the sudo command

IT administrators can use Jamf Pro to configure authentication settings via managed app configuration, and deploy the app to users in their organization.

General Requirements

To use Jamf Unlock in your environment, you need the following:

  • A Jamf Connect subscription and the Jamf Connect menu bar app installed on computers.

    Note:

    You must also include the Enable Unlock (EnableUnlock) setting in your menu bar app configuration profile. For more more information, see Enabling Jamf Unlock on Computers.

  • An MDM solution, such as Jamf Pro

  • Managed devices with the following:

    • iOS 14.0 or later that are connected to the internet

    • A passcode and Face ID or Touch ID enabled

  • Computers with macOS 10.15.4 or later with the Jamf Connect menu bar app installed

  • A local account with administrator privileges

  • An OpenID Connect app integration in your cloud identity provider

    Note:

    If you already deployed the menu bar app in your environment, you can use an existing app integration in your IdP for the menu bar app by adding an additional Redirect URI for Jamf Unlock. If you use Okta and its authentication API with the menu bar app, you must create a new app integration for Jamf Unlock to support the OpenID Connect authentication protocol. See Identity Provider Integrations for more information.

Jamf Unlock at the macOS Login Window

You can allow users to use the Jamf Unlock app to log in via Apple's native macOS login window.

When enabled, users have the option to use Jamf Unlock authentication rather than entering their local password by using the Enable Jamf Unlock switch at the top of the login window.

  • By default, Jamf Unlock authentication is only available after logout and is skipped after restart. To use Jamf Unlock authentication after a full restart, you must disable Apple's automatic FileVault login setting on computers. For more information, see FileVault Enablement with Jamf Connect.

  • Make sure the EnableUnlock setting is also enabled in the Unlock dictionary of your Jamf Connect menu bar configuration profile.

  • During the first login attempt, users may need to enter their password to allow macOS to use the "login" keychain.

  • The Jamf Connect login screen cannot be used with Jamf Unlock authentication, to use Jamf Unlock authentication, make sure the Jamf Connect login window is disabled by executing sudo authchanger -reset.

  • If four or more local user accounts are on a computer, the user icons that display in the macOS login window may not be centered on the screen.