Configure Platform Single Sign-on for macOS 14

If your org uses Okta Device Access and you have macOS computers running macOS Sonoma (14.0) or later, you can migrate your existing installation to use Platform Single Sign-on 2.0. Your users will be asked to re-enroll in Desktop Password Sync after migrating.

To use Platform SSO 2.0, your macOS computers need to be running macOS Sonoma (14.0) or later. If your org has a mix of macOS computers on different operating systems, you need to configure separate instances of Okta Device Access for users on macOS Ventura (13.0) and macOS Sonoma (14.0).

Tasks

The steps outlined here must be followed in the order they're listed to avoid configuration issues.

Update Okta Verify for macOS

Desktop Password Sync is part of Okta Device Access, which uses Okta Verify for device registration and user authentication. In the Admin Console, go to SettingsDownloads and download Okta Verify for macOS. You must download the Okta Verify package from the Admin Console and not from an App Store. If the Okta Device Access product has been enabled for your org, Desktop Password Sync can be configured and deployed. Contact your account representative for more information.

After Okta Verify has been updated, continue to the next step.

Configure Device Access SCEP certificates

Apple's Platform Single Sign-on 2.0 requires the configuration of Simple Certificate Enrollment Protocol (SCEP) certificates for macOS. These certificates deploy with your mobile device management (MDM) software. They're used to grant access to API endpoints and to identify the device to Okta when making calls to API endpoints. If your org isn't using Platform SSO 2.0, SCEP certificates aren't required.

Review and complete the steps in Set up Device Access SCEP certificates, then return here to continue the Desktop Password Sync upgrade.

Update your device management profile

Using Platform Single Sign-on 2.0 with Okta Desktop Password Sync requires you to make some configuration changes to your existing device management profile.

  1. In your MDM, locate the device management profile for the com.okta.mobile.auth-service-extension domain.

  2. Edit the profile and add the following:

    Copy
    <key>PlatformSSO.ProtocolVersion</key>
    <string>2.0</string>

  3. Save the profile.

  4. If you're presented with an option to push the updated profile to your users, do this now.

Update your single sign-on extension profile

Using Platform Single Sign-on 2.0 with Okta Desktop Password Sync requires you to make some configuration changes to your existing single sign-on extension profile.

  1. In your MDM, locate the single sign-on extension profile.

  2. Edit the profile. Set the Use Shared Device Keys setting to Enabled.

  3. Leave all other existing properties as they are.

  4. Save the profile.

  5. If you're presented with an option to push the updated profile to your users, do this now.

After you enable Shared Device Keys, users receive a notification asking them to update their registration. This will take the user through the Desktop Password Sync registration process to sync their Okta password to their macOS account.

You can track which users have completed the registration update by running the following query in System Log reports, located on the Admin Dashboard:

Copy
eventType eq "device.password_sync.enrollment.create" and target.detailEntry.PlatformSsoProtocol eq "2.0"

Related topics

Support your Desktop Password Sync users

Just-In-Time Local Account Creation for macOS

Set up Device Access SCEP certificates