If instructed, Jamf Connect or Self Service+ stores the user’s password in their local keychain by using SecKeychainAddGenericPassword()and other SecKeychain API calls. The password is stored in the user's default keychain.
If a password is stored in the user's keychain and Kerberos is enabled, Jamf Connect will use that password on launch. If the password cannot authenticate the user, Jamf Connect or Self Service+ deletes the password from the keychain to prevent lockouts. The user is then prompted to re-enter a valid password.