Skip to content Skip to site navigation

Cardinal Key Resources for IT Professionals: Shared Devices

This page includes instructions intended for IT professionals who are supporting the use of Cardinal Key on shared devices.

Instructions for IT Professionals


  • The device must be enrolled in BigFix (eventually Jamf should also be able to support this setup).
  • Only macOS and Windows are supported.
  • Each user must have their own account on the local system.
  • Each user must be a local administrator.
  • One user of the device (could be a sysadmin or tech support person) must be the primary user (responsible party) so that the device will appear in their list in MyDevices.

Set-up steps

It is recommended that the primary user should be the first to install their Cardinal Key. Each user must individually complete the following steps:

  1. Complete the device enrollment process while logged on to their own local computer account.
  2. Install their own Cardinal Key, using either the guided installer or manual installation.
  3. If the guided installer was used, the process is now complete and the user may log out immediately.
  4. In the case of manual installation, the user must stay logged in long enough for BigFix to collect Cardinal Key data and report it to MyDevices. (Users should remain logged in for two hours.)


  • During device enrollment, the question about High Risk data confuses some folks.  If any user (not just the primary user) says "yes" to High Risk data access, the computer will be considered to have High Risk data access.
  • The device will appear in the MyDevices list of the primary user only.
  • MyDevices can sometimes be slow to update. Allow up to 12 hours for a newly installed Cardinal Key to appear in MyDevices.
  • The Cardinal Keys will appear with the names given them at installation time (by default either the machine name, in the case of the Cardinal Key Installer, or the OS name, in the case of a manual installation)
  • There’s no lifecycle management: if a local user account is deleted, for example, any associated Cardinal Key will still show in MyDevices in perpetuity, even though the certificate itself was deleted along with the user account.
Last modified February 28, 2024