Introduction
On Apple Silicon Macs (M1/M2/M3), Level creates a dedicated service account to support patch management. This account is required so Level can unlock FileVault and install updates without an interactive user session.
It's created automatically during agent installation. If you skipped the prompt at install time or need to manage it later, you can do so via the command line.
What the Service Account Is
The Level service account is a system account with a single purpose: installing updates. It's not a user account in any practical sense.
No admin privileges
No login privileges (no home folder, no shell)
Hidden in the login window and Users & Groups preferences
If FileVault is enabled, the account is visible at startup and can unlock the drive
Removed automatically when the Level agent is uninstalled
ℹ️ NOTE: The service account is Apple Silicon-only. Intel Macs don't require it because the patch management flow on Intel doesn't need to unlock FileVault at startup.
Manual Setup
If the service account wasn't created during install, run this command on the target device:
/usr/local/bin/level --create-service-account
You'll be prompted for an admin username and password. These credentials are for an existing system admin on the device — they're used to authorize the creation of the service account, not to set its password.
💡 TIP: For scripted or MDM-based setup, pass credentials as flags to skip the interactive prompt:
Example
/usr/local/bin/level --create-service-account --admin-name=adminuser --admin-password=adminpass
CLI Reference
ℹ️ NOTE: All service account options are Apple Silicon-only. Running them on an Intel Mac will have no effect.
All options require the full path to the Level agent binary: /usr/local/bin/level
Option | Description |
| Checks whether a Level service account exists on this device |
| Creates a new Level service account |
| Removes the Level service account |
| Admin username for |
| Admin password for |
⚠️ WARNING: Deleting the service account with --delete-service-account will prevent Level from installing updates on this device until the account is recreated.
macOS Secure Tokens
Why does --create-service-account fail with "The provided admin credentials are valid, but the account lacks a secure token"?
On Apple Silicon Macs (and Intel Macs with FileVault), macOS requires that the admin account authorizing the creation of another account holds a SecureToken. The Level service account needs a SecureToken so it can unlock FileVault at boot, and Apple won't let a non-SecureToken admin grant a token to another account. If the admin credentials you pass to --create-service-account don't have a SecureToken, the agent will fail with this error even though those credentials are otherwise valid administrator credentials.
This is most commonly hit when the admin account was created by a Jamf PreStage Enrollment (or another MDM prestage) without Bootstrap Token escrow — those accounts are real admins, but they aren't automatically granted a SecureToken.
How do I check whether an admin account has a SecureToken?
sysadminctl -secureTokenStatus <adminuser>
If the output is ENABLED, that account can authorize --create-service-account. If it's DISABLED, you'll need to either use a different admin or grant this one a SecureToken first.
How do I get a SecureToken on the admin account I want to use?
There are three common paths, depending on the state of the device:
Setup Assistant (cleanest, for new devices). The first interactive user through Setup Assistant is automatically granted a SecureToken. If that's the admin you intend to use for Level deployment, no further action is needed.
Bootstrap Token via MDM (recommended for fleet deployments). Configure your MDM's prestage enrollment to create a Managed Local Administrator Account with Bootstrap Token escrow enabled. In Jamf, this is set on the PreStage Enrollment under Account Settings. The MDM then grants that admin a SecureToken at enrollment, and you can pass its credentials to
--create-service-accountnon-interactively.Grant the token from an existing SecureToken holder. If the device already has another account with a SecureToken (often the original end-user account), use it once to grant a token to your admin:
sudo sysadminctl -secureTokenOn <adminuser> -password <adminpw> \
-adminUser <tokenholder> -adminPassword <tokenholderpw>
After this,<adminuser>will have a SecureToken and can be used for--create-service-accountgoing forward.
I deployed a fleet without a SecureToken-holding admin. What now?
For each device, run sysadminctl -secureTokenStatus against the local admin accounts to find one that has a SecureToken (often the original Setup Assistant user). Use that account either to run --create-service-account directly, or to grant a SecureToken to your standard deployment admin (option 3 above) so future operations are non-interactive. For new enrollments, fix the underlying issue by enabling Bootstrap Token escrow on the MDM prestage.
Does this apply to Intel Macs too?
Yes, on any Mac with FileVault enabled. On Apple Silicon, SecureToken is effectively required regardless of FileVault state. The symptom and the fix are the same on both architectures.
If you'd like, I can also open a docs PR with this FAQ section drafted in whatever repo/CMS hosts the article — just point me at it.
FAQ
Why does Level need a service account just to install updates? macOS requires FileVault to be unlocked before the system can install updates at startup. The service account gives Level a way to perform that unlock without an interactive user session.
Will my users see this account? No. The service account is hidden in the login window and in System Settings → Users & Groups. It only appears at the startup FileVault unlock screen on devices with FileVault enabled.
I dismissed the credential prompt during install. Do I need to set the account up? Only if you want Level to handle patch management on this device. Run
--create-service-accountmanually or push it via your deployment tooling. Monitoring, remote control, and other features work without it.Can I automate service account creation at scale? Yes — use
--admin-name=and--admin-password=flags to pass credentials non-interactively. These can be passed as part of a post-install script in your MDM or deployment tool.What happens to the service account if I uninstall Level? It's removed automatically as part of the uninstall process.