Setting up macOS Service Account
On macOS devices with Apple Silicon, Level uses a service account to ensure that the device can be patched. This service account is required to unlock FileVault so that updates can be installed. The service account is created during the Level agent installation process or may be added later using a terminal command.
The Level service account is installed as a system account whose sole purpose is the installation of updates. It can't be logged in to by any user โ the Level Service Account doesn't have an accessible password or valid home directory.
Service Account Details
No admin privileges
No login privileges (no home folder or shell)
Hidden in the login window or Users & Groups preferences
If FileVault is enabled, this account is visible at startup and can unlock the drive
When the Level agent is uninstalled, the service account is also removed
Manual Service Installation
To manually install the service run the below command.
/usr/local/bin/level --create-service-account
You will be prompted for an administrator username and password to create the service account.
CLI Service Options
Prefix options with the full path to the Level Agent
(i.e. /usr/local/bin/level --check-service-account)
Options | Description |
--check-service-account | Checks if a Level service account is set up. (Apple Silicon only) |
--create-service-account | Creates a new Level service account for system updates. (Apple Silicon only) |
--delete-service-account | Deletes the Level service account. (Apple Silicon only) |
--admin-name= | Admin name for --create-service-account (for use in non-interactive scripts) |
--admin-password= | Admin password for --create-service-account (for use in non-interactive scripts) |