Link an end user account to macOS

Account linking on macOS for Okta Desktop MFA connects a user's local macOS user account with their Okta identity.

This enables users to sign in to the macOS computer with their Okta MFA factors. If you also want to link their Okta password for the device, use Desktop Password Sync for macOS.

Requirements

  • Okta Identity Engine org: Your Okta tenant where user identities, apps (including Desktop MFA), and policies are managed.

  • Okta Verify for macOS: This is the desktop app that needs to be installed on the macOS devices. It acts as the bridge between the macOS sign-in process and Okta and handles device registration and user authentication. Use the version downloaded from the Okta Admin Console, as the apple Apple App Store version doesn't support Okta Device Access features.

  • Mobile Device Management (MDM) solution: An MDM solution like Jamf Pro, Kandji, or Microsoft Intune is essential for deploying the Okta Verify package and the necessary configuration profiles to your macOS devices. These profiles contain the settings that enable Desktop MFA and define its behavior.

  • Desktop MFA app in Okta: This is a specific app integration within your Admin Console that's configured for Desktop MFA. This app has a unique client ID and secret used in the deployment.

End user procedure

  1. After Okta Desktop MFA is deployed to a macOS device, the first time a user signs in to their computer, the system prompts them to sign in to their Okta account for device access.

  2. The user enters their Okta username.

  3. Okta then issues an MFA challenge, using the methods configured for your org.

    • The Okta Verify Push method is the most common, where a push notification is sent to the user's mobile device that has Okta Verify installed. The user approves the request on their phone. Depending on your org configuration, this can include a number challenge for enhanced security.

    • For the Okta Verify TOTP method, the user enters a code generated by the Okta Verify app on their mobile device.

    • With the FIDO2 security key method, users can sign in with a configured security key (like a YubiKey) for authentication. See Configure Desktop MFA for macOS to use FIDO2 keys.

  4. After the MFA challenge is completed successfully, the user's local macOS account is linked to their Okta identity. As part of this process, users are prompted to set up an offline authentication factor. This allows them to sign in to their computer if their system is offline or if they don't have access to their primary Okta Verify device. The primary offline factor supported for macOS is an offline one-time password.

  5. After the initial linking, users can continue to sign in to their computer using their Okta credentials and the configured MFA factor.

Related links

Desktop Password Sync for macOS

Desktop MFA for macOS