Overview
The SureMDM Service Account for macOS is a system-level user account that is automatically created during the enrollment process for new devices. For existing enrollments, the account can be created manually when using a supported version of the agent.
SureMDM Service account is supported in agent version 6.6.3 and above.
This account is utilized for advanced user management functions, including enabling SecureToken access for users created through SureMDM, performing password resets, and overriding personally enabled FileVault configurations.
Once created, the Service Account operates silently in the background and is hidden from the login screen. Users cannot view or modify this account. Upon device unenrollment, the SureMDM Service Account is automatically removed. Customized scripts are also available to disable Service Account creation or to force a prompt for its creation as required for existing enrollments.
SureMDM Service Account Creation
The creation of the SureMDM Service Account for macOS is designed to be both straightforward and flexible, supporting new and existing enrollments. During the process, the system prompts for the credentials of an admin account with SecureToken enabled. Once authenticated, the SureMDM Service Account is created.
| Enrollment Type | Action |
|---|---|
| New Enrollments | When a macOS device is being enrolled for the first time, SureMDM automatically prompts the end-user to create the service account post enrollment workflow. This ensures the account is provisioned seamlessly during the setup process. |
| Existing Enrollments | Devices that are already enrolled in SureMDM can also be provisioned with a Service Account. If the SureMDM Agent is updated to version 6.6.3 or higher, end users can manually initiate the Service Account creation directly from the SureMDM Agent interface on the device. |
Supported Enrollment Methods: Service account provisioning is compatible with Device Enrollment and ADE (Automated Device Enrollment) methods.
Advanced macOS Management with SureMDM Service Account
Key features and advantages of the SureMDM Service Account on macOS
| Capability | Description |
|---|---|
| Simplified Password Reset | Enables seamless password resets through the Service Account by using the Change Password option in the User Account Management static and dynamic jobs. |
| Secure Token Management for User Accounts | Allows administrators to grant or revoke SecureToken access for user accounts on the device through the User Accounts dynamic job. |
| FileVault Override and Recovery Key Access | Allows administrators to override existing FileVault settings and retrieve recovery keys in the SureMDM console using the FileVault profile, including for devices encrypted prior to enrollment. |
| SureIdP Password Synchronization | For macOS devices integrated with SureIdP (SureMDM Identity Provider), any password changes initiated from the IdP are automatically synchronized with the local macOS account. This removes the need for users to manage separate credentials and ensures a unified login experience. |
These capabilities are available only when the SureMDM Service Account is provisioned on the macOS device.