Configure Desktop Password Sync for macOS 14

If your org uses Okta Device Access and you have macOS computers running macOS 14 Sonoma or later, you can migrate your existing installation to use Platform Single Sign-on (Platform SSO) 2.0. Your users are asked to re-enroll in Desktop Password Sync after migrating.

To use Platform SSO 2.0, your macOS computers need to be running macOS 14 Sonoma or later. If your org has a mix of macOS computers on different operating systems, you need to configure separate instances of Okta Device Access for users on macOS 13 Ventura and macOS 14 Sonoma.

Tasks

Follow these steps in sequence to avoid configuration issues:

Update Okta Verify for macOS

Desktop Password Sync is part of Okta Device Access, which uses Okta Verify for device registration and user authentication.

In the Admin Console, go to SettingsDownloads and download Okta Verify for macOS. Don't download the Okta Verify package from the Apple App Store.

If the Okta Device Access product is enabled for your org, you can configure and deploy Desktop Password Sync. Contact your account representative for more information.

After Okta Verify has been updated, continue to the next step.

Configure Device Access SCEP certificates

Apple's Platform SSO 2.0 requires the configuration of Simple Certificate Enrollment Protocol (SCEP) certificates for macOS. These certificates deploy with your mobile device management (MDM) software. They're used to grant access to API endpoints and to identify the device to Okta when making calls to API endpoints. If your org isn't using Platform SSO 2.0, then you don't need SCEP certificates.

Complete the steps in Device Access SCEP certificates, then return here to continue the Desktop Password Sync upgrade.

Update your device management profile

Using Platform SSO 2.0 together with Desktop Password Sync requires you to make some configuration changes to your existing device management profile.

  1. In your MDM, locate the device management profile for the com.okta.mobile.auth-service-extension domain.

  2. Edit the profile and add the following:

    Copy
    <key>PlatformSSO.ProtocolVersion</key>
    <string>2.0</string>
  3. Save the profile.

  4. If your MDM presents you with an option to push the updated profile to your users, do this now.

Update your single sign-on extension profile

Using Platform SSO 2.0 together with Desktop Password Sync also requires you to make some configuration changes to your existing single sign-on (SSO) extension profile.

  1. In your MDM, locate the SSO extension profile.

  2. Edit the profile. Set the Use Shared Device Keys setting to Enabled.

  3. Leave all other existing properties as they are.

  4. Save the profile.

  5. If your MDM presents you with an option to push the updated profile to your users, do this now.

After you enable Use Shared Device Keys, users receive a notification asking them to update their registration. This takes the user through the Desktop Password Sync registration process to sync their Okta password with their macOS account.

You can track which users have completed the registration update by running the following query in the System Log.

Copy
eventType eq "device.password_sync.enrollment.create" and target.detailEntry.PlatformSsoProtocol eq "2.0"

Related topics

Support your macOS users

Just-In-Time Local Account Creation for macOS

Device Access SCEP certificates