Just-In-Time Local Account Creation for macOS

Early Access release. See Enable self-service features.

Just-In-Time Local Account Creation allows users to create an account on a macOS computer using their Okta username and password from the macOS login window. Admins can streamline the account creation process for any Okta user in their tenant, which is especially beneficial for shared devices or workstations that support multiple users. This feature uses Platform Single Sign-on, Apple's Identity framework.

Tasks

The tasks outlined here must be followed in the order they're listed to avoid configuration issues.

Enable Just-In-Time Local Account Creation in the Admin Console.
Configure Device Access SCEP certificates. SCEP certificates are required to use JIT account creation.
Configure device management profiles for Just-In-Time account creation. These values must be added to your PlatformSSO profile before using JIT account creation.
Configure the macOS device using JIT Local Account Creation and hand it off to the user.

Before you begin

Check that the Okta username is in an email format. See Create a custom character restriction for the Okta username. Characters not supported by macOS, such as +, won't appear in the username.
Ensure that the Okta user's first name and last name are populated. The macOS account details are generated from this information.
If your org uses a different format for user names, you must create a custom attribute for username mapping. Set the VariableName to the macOSAccountUsername or macOSAccountFullName. See Add custom attributes to apps, directories, and identity providers and Map Okta attributes to app attributes in the Profile Editor

Configure Device Access SCEP certificates

Just-In-Time Local Account Creation for macOS requires the configuration of Simple Certificate Enrollment Protocol (SCEP) certificates for macOS. These certificates are deployed by your mobile device management (MDM) software. They're used to grant access to API endpoints and to identify the device to Okta when making calls to API endpoints. Review and complete the steps in Set up Device Access SCEP certificates, then return here to continue to enable JIT account creation.

Configure device management profiles for Just-In-Time account creation

Using JIT account creation requires you to make some configuration changes to your existing MDM profiles. These instructions assume you're using Jamf Pro for device management. If you're using a different MDM solution, the names of the fields may differ.

In your MDM, locate the PlatformSSO profile.
Edit the profile and enable the following:
- Create New User at Login EnableCreateUserAtLogin
- New User Authorization Mode: This value determines the privilege type of the account being created. Set the account to Admin or Standard.
- Use Shared Device Keys UseSharedDeviceKeys
- User Mapping
  - Set macOSAccountUsername as the AccountName
  - Use macOSAccountFullName as the FullName
- Registration Token should be set to a random value. This field isn't used, because the SCEP certificate is used in place of the Registration Token, but the field must be populated.
Locate the device management profile for the com.okta.mobile.auth-service-extension domain.

Edit the profile and add the following:

Copy

<key>PlatformSSO.ProtocolVersion</key>
<string>2.0</string>

Save the profile.
If you're presented with an option to push the updated profile to your users, do this now.

View a Sample Jamf PlatformSSO profile with JIT account creation parameters for reference.

Set up the new device for JIT account creation

Device requirements

The devices or virtual machines provisioned using JIT account creation must meet the following requirements:

Computer is running macOS 14.0 (Sonoma) or greater.
Device is enrolled in an MDM solution with support for bootstrap tokens enabled. See Manually Leveraging Apple's Bootstrap Token Functionality for more information.
Setup Assistant must have been completed and the initial local administrator account created.
Platform Single Sign-on MDM profiles have been pushed to the machine.
SCEP certificates are present on the computer.
Okta Verify for macOS version 9.25.0 or greater is installed.
The user exists within Okta.

After the device requirements have been met, an IT administrator must complete the following steps on the computer:

Sign in to the administrator account on the device. The device is silently registered using the SCEP certificate to authenticate the identity of the device and enroll the device Platform SSO keys.
Verify that the device was successfully registered:
- The Registration Required notification appears, advising the user to sign in with their credentials, or
- Run app-sso platform -s in Terminal. If successful, this should return Device Configuration.registrationCompleted = true and Login Configuration object isn't null.
If the device wasn't successfully registered, review the Okta Verify logs to find the reason for the failure. Resolve the issue and restart the device registration process by signing out and back in again.
Optional. Complete the Desktop Password Sync registration (this enrolls the IT administrator's account to Okta FastPass).)
On the macOS device, open System Settings Users & Groups and ensure that there are no duplicate accounts with similar names on the computer (for example, j.smith and jl.smith). If extra accounts are found, delete the extra users and ensure the home directories are removed from /Users/.
Open System Settings Lock Screen When Switching User Login window shows Name and Password. This setting allows the user name to appear on the macOS login window.

At this point, the computer is ready to hand off to the end user.

Sample Jamf PlatformSSO profile

Copy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>Configuration</key>
            <array>
                <dict>
                    <key>ApplicationIdentifier</key>
                    <string>B7F62B65BN.com.okta.mobile.auth-service-extension</string>
                    <key>AssociatedDomains</key>
                    <array>
                        <!-- replace accuhive.okta.com with your tenant address -->
                        <string>authsrv:accuhive.okta.com</string>
                    </array>
                </dict>
            </array>
            <key>PayloadDisplayName</key>
            <string>Associated Domains for Okta Verify</string>
            <key>PayloadIdentifier</key>
            <string>F65C9B21-13AD-4F46-86E5-C3352E7D97B6</string>
            <key>PayloadOrganization</key>
            <string>CUSTOMER NAME</string>
            <key>PayloadType</key>
            <string>com.apple.associated-domains</string>
            <key>PayloadUUID</key>
            <string>F65C9B21-13AD-4F46-86E5-C3352E7D97B6</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
              <key>PlatformSSO</key>
                        <dict>
                            <key>AccountDisplayName</key>
                            <string>Actor</string>
                            <key>AuthenticationMethod</key>
                            <string>Password</string>
                            <key>EnableCreateUserAtLogin</key>
                            <true/>
                            <key>TokenToUserMapping</key>
                            <dict>
                                <key>AccountName</key>
                                <string>macOSAccountUsername</string>
                                <key>FullName</key>
                                <string>macOSAccountFullName</string>
                            </dict>
                            <key>UseSharedDeviceKeys</key>
                            <true/>
                        </dict>
                        <key>RegistrationToken</key>
                        <string>********</string>
            <key>ExtensionIdentifier</key>
            <string>com.okta.mobile.auth-service-extension</string>
            <key>Hosts</key>
            <array/>
            <key>TeamIdentifier</key>
            <string>B7F62B65BN</string>
            <key>Type</key>
            <string>Redirect</string>
            <key>URLs</key>
            <array>
                <!-- replace accuhive.okta.com with your tenant address -->
                <string>https://accuhive.okta.com/device-access/api/v1/nonce</string>
                <string>https://accuhive.okta.com/oauth2/v1/token</string>
            </array>
            <key>PayloadDisplayName</key>
            <string>Okta Verify Sign-On Extensions Payload</string>
            <key>PayloadIdentifier</key>
            <string>77058B08-6943-4DEC-899A-721F55B4EEE8</string>
            <key>PayloadOrganization</key>
            <string>CUSTOMER NAME</string>
            <key>PayloadType</key>
            <string>com.apple.extensiblesso</string>
            <key>PayloadUUID</key>
            <string>77058B08-6943-4DEC-899A-721F55B4EEE8</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Okta PSSO extension configuration</string>
    <key>PayloadDisplayName</key>
    <string>Okta PSSO extension</string>
    <key>PayloadIdentifier</key>
    <string>com.customer-name.profiles.ssoextension</string>
    <key>PayloadOrganization</key>
    <string>CUSTOMER NAME</string>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>D78FE406-0C61-4007-8C51-FFA5FDE5F54B</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

Next steps

Support your Desktop MFA users

Support your Desktop Password Sync users