Still had quite a few Macs with "Need attention" status after failed attempts running the create service account app introduced in latest agent update.
After some trial and error I realized that somewhere on the way the affected users token passphrase had got out of synch and this is how I solved it (fix maybe can be implemented in the app but this is a workaround for now).
Step 1 - Check the Securetoken status of the Account sysadminctl -secureTokenStatus username_goes_here
Step 2 - Once the Securetoken is enabled for Account, execute the below commands
sudo fdesetup list | grep $USER #where $user is the name of the user out of sync
It will return
then copy the long UUID and enter:
diskutil apfs changePassphrase disk1s1 -user 27E97FDA-252E-1D28-97E2-E11278DB2D21
You will be prompted for the old password and the current password.
It will return Passphrase successful.
Step 3 - Reboot computer and login with Jumpcloud pass then launch the JumpCloudServiceAccount app from application and create the service account as intended.
Credits for Token sync fix to: