Configure device management profiles for Desktop Password Sync
Set up Desktop Password Sync for macOS and create managed profiles to enable the password sync workflow on your devices. You can use any device management solution that supports extensible SSO payload deployment with platform SSO authentication enabled. These instructions assume you're using Jamf Pro for device management.
Desktop Password Sync for macOS requires three types of payloads for full functionality:
-
An extensible single sign-on profile deployed at the computer level.
-
An AssociatedDomain payload. This can be within the same profile as the extensible single sign-on extension.
-
A Okta Verify configurations for macOS devices, containing the org URL, username, and client ID. The username and client ID are specific to Desktop Password Sync, and need to be scoped to the SSO extension domain only. A separate entry should be added for each Okta preference domain.
You're asked to provide an org URL at several points during the setup process. For example, https://customerorg.okta.com. Use the same org URL wherever you're prompted to provide an org URL. If you have a custom domain configured, then use the custom domain URL.
Tasks
-
Optional: MDM setup examples
Create a single sign-on extension profile
The SSO extension extends to the macOS sign-in window, which enables users to use their Okta credentials to unlock their computer. The local account password is automatically kept in sync, so the local password and Okta password match. Create profiles in your device management software with the following parameters:
-
Payload type: SSO
-
Extension identifier: com.okta.mobile.auth-service-extension
-
Team identifier: B7F62B65BN
-
Sign-on type: Redirect
-
URLs: Add your Okta org URL with the path /device-access/api/v1/nonce and /oauth2/v1/token. See the following examples:
-
https://customerorg.okta.com/device-access/api/v1/nonce
-
https://customerorg.okta.com/oauth2/v1/token
-
-
Use Platform SSO: Enabled
-
Authentication method: Password
-
App Identifier: B7F62B65BN.com.okta.mobile.auth-service-extension
-
Associated Domain: Your org URL with authsrv: preceding the URL, for example, authsrv:customerorg.okta.com. For more information, review Apple's AssociatedDomains documentation.
-
Account Display Name: The display name for the account in notifications and authentication requests. This is set at a system level, and not at a user-specific level. Any value set here is shown to all users.
Create a device management profile
A managed app configuration allows you to enable the functionality that is built into macOS Okta Verify and Desktop Password Sync.
Create a Managed app configurationsfor macOS devices. In the new profile, create a separate payload entry for each of the two Okta preference domains. You can use the same property list in both entries:
| Preference Domain | Example | Comment |
|---|---|---|
| com.okta.mobile | <plist version="1.0"> <dict> <key>OktaVerify.OrgUrl</key> <string>https://customerorg.okta.com</string> <key>OktaVerify.UserPrincipalName</key> <string>$USERNAME</string> </dict> </plist> |
If this has already been configured for Okta Verify or Okta FastPass, you don’t need to create it again. The same configuration can be used for Desktop Password Sync. |
| com.okta.mobile.auth-service-extension | <plist version="1.0"> <dict> <key>OktaVerify.OrgUrl</key> <string>https://replace-with-your-org-URL</string> <key>OktaVerify.UserPrincipalName</key> <string>$USERNAME</string> <key>OktaVerify.PasswordSyncClientID</key> <string>replace-with-your-client-ID</string> </dict> </plist> |
Replace the strings for your org URL and client ID. Use the same org URL (https://customerorg.okta.com) throughout the Desktop Password Sync setup process. See Configure Desktop Password Sync for macOS for your client ID. $USERNAME is an optional value for OktaVerify.UserPrincipalName, which automatically populates the username in the Sign-In Widget. If a value isn't specified, users need to input their username when signing in. |
| com.apple.preference.security | <plist version="1.0"> <dict> <key>dontAllowPasswordResetUI</key> <true/> </dict> </plist> |
This profile disables the ability to change the local account password. Because the password is synced with Okta, the user shouldn't change the password locally. To change a password, users should change their Okta password and then sync it at the lock screen of the computer. For more information, see Apple's SecurityPreferences documentation. |
Distribute the profile to all computers in scope, or distribute to newly assigned devices only.
After creating and distributing the device management profile, your managed users can begin to sync their local macOS password with their Okta password. A system notification displays a message to users that registration is required to sync their local macOS password to their Okta password. Desktop Password Sync also sets up Okta FastPass as part of the enrollment process. Your users may already have Okta FastPass enabled. If biometrics for Okta FastPass are enabled, the Desktop Password Sync enrollment flow prompts users for Touch ID to successfully set up Okta FastPass.
MDM setup examples
Choose the appropriate format for your MDM and macOS version.
Generic MDM
com.apple.com.associated-domain payload:
<key>PayloadType</key>
<string>com.apple.associated-domains</string>
<key>Configuration</key>
<array>
<dict>
<key>ApplicationIdentifier</key>
<string>B7F62B65BN.com.okta.mobile.auth-service-extension</string>
<key>AssociatedDomains</key>
<array>
<string>authsrv:customerorg.okta.com</string>
</array>
</dict>
</array>macOS Ventura com.apple.extensiblesso payload:
<key>PayloadType</key>
<string>com.apple.extensiblesso</string>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>ExtensionIdentifier</key>
<string>com.okta.mobile.auth-service-extension</string>
<key>Hosts</key>
<array/>
<key>TeamIdentifier</key>
<string>B7F62B65BN</string>
<key>Type</key>
<string>Redirect</string>
<key>URLs</key>
<array>
<string>https://customerorg.okta.com/device-access/api/v1/nonce</string>
<string>https://customerorg.okta.com/oauth2/v1/token</string>
</array>macOS Sonoma com.apple.extensiblesso payload:
<key>PayloadType</key>
<string>com.apple.extensiblesso</string>
<key>PlatformSSO</key>
<dict>
<key>AuthenticationMethod</key>
<string>Password</string>
</dict>
<key>ExtensionIdentifier</key>
<string>com.okta.mobile.auth-service-extension</string>
<key>Hosts</key>
<array/>
<key>TeamIdentifier</key>
<string>B7F62B65BN</string>
<key>Type</key>
<string>Redirect</string>
<key>URLs</key>
<array>
<string>https://customerorg.okta.com/device-access/api/v1/nonce</string>
<string>https://customerorg.okta.com/oauth2/v1/token</string>
</array>com.okta.mobile payload:
<key>PayloadType</key>
<string>com.okta.mobile</string>
<key>OktaVerify.OrgUrl</key>
<string>https://customerorg.okta.com</string>
<key>OktaVerify.UserPrincipalName</key>
<string>username@domain.com</string>com.okta.mobile.auth-service-extension payload:
<key>PayloadType</key>
<string>com.okta.mobile.auth-service-extension</string>
<key>OktaVerify.OrgUrl</key>
<string>https://customerorg.okta.com</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>your-client-ID</string>
<key>OktaVerify.UserPrincipalName</key>
<string>username@domain.com</string>com.apple.preference.security payload:
<plist version=”1.0”>
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>dontAllowPasswordResetUI</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.customer-name.profiles.dontAllowPasswordResetUI</string>
<key>PayloadType</key>
<string>com.apple.preference.security</string>
<key>PayloadUUID</key>
<string>d99bb019-1010-447f-8fed-8f223cc56be3</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Restrict Local Password Reset for Okta's PSSO extension</string>
<key>PayloadIdentifier</key>
<string>com.customer-name.restrictLocalPasswordReset</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>b44b6a04-6527-4333-1010-46422e8a5844</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Examples for Jamf Pro
com.okta.mobile Preference Domain:
<plist version="1.0">
<dict>
<key>OktaVerify.OrgUrl</key>
<string>https://customerorg.okta.com</string>
</dict>
</plist>com.okta.mobile.auth-service-extension Preference Domain:
<plist version="1.0">
<dict>
<key>OktaVerify.OrgUrl</key>
<string>https://replace-with-your-org-URL</string>
<key>OktaVerify.UserPrincipalName</key>
<string>$USERNAME</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>replace-with-your-client-ID</string>
</dict>
</plist>com.apple.preference.security Preference Domain:
<plist version="1.0">
<dict>
<key>dontAllowPasswordResetUI</key>
<true/>
</dict>
</plist>Examples for Kandji
macOS Ventura Desktop Password Sync config:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>Configuration</key>
<array>
<dict>
<key>ApplicationIdentifier</key>
<string>B7F62B65BN.com.okta.mobile.auth-service-extension</string>
<key>AssociatedDomains</key>
<array>
<!-- replace accuhive.okta.com with your tenant address -->
<string>authsrv:accuhive.okta.com</string>
</array>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Associated Domains for Okta Verify</string>
<key>PayloadIdentifier</key>
<string>F65C9B21-13AD-4F46-86E5-C3352E7D97B6</string>
<key>PayloadOrganization</key>
<string>CUSTOMER NAME</string>
<key>PayloadType</key>
<string>com.apple.associated-domains</string>
<key>PayloadUUID</key>
<string>F65C9B21-13AD-4F46-86E5-C3352E7D97B6</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>ExtensionIdentifier</key>
<string>com.okta.mobile.auth-service-extension</string>
<key>Hosts</key>
<array/>
<key>TeamIdentifier</key>
<string>B7F62B65BN</string>
<key>Type</key>
<string>Redirect</string>
<key>URLs</key>
<array>
<!-- replace accuhive.okta.com with your tenant address -->
<string>https://accuhive.okta.com/device-access/api/v1/nonce</string>
<string>https://accuhive.okta.com/oauth2/v1/token</string>
</array>
<key>PayloadDisplayName</key>
<string>Okta Verify Sign-On Extensions Payload</string>
<key>PayloadIdentifier</key>
<string>77058B08-6943-4DEC-899A-721F55B4EEE8</string>
<key>PayloadOrganization</key>
<string>CUSTOMER NAME</string>
<key>PayloadType</key>
<string>com.apple.extensiblesso</string>
<key>PayloadUUID</key>
<string>77058B08-6943-4DEC-899A-721F55B4EEE8</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Okta PSSO extension configuration</string>
<key>PayloadDisplayName</key>
<string>Okta PSSO extension</string>
<key>PayloadIdentifier</key>
<string>com.customer-name.profiles.ssoextension</string>
<key>PayloadOrganization</key>
<string>CUSTOMER NAME</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>D78FE406-0C61-4007-8C51-FFA5FDE5F54B</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>macOS Sonoma Desktop Password Sync config:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>Configuration</key>
<array>
<dict>
<key>ApplicationIdentifier</key>
<string>B7F62B65BN.com.okta.mobile.auth-service-extension</string>
<key>AssociatedDomains</key>
<array>
<!-- replace accuhive.okta.com with your tenant address -->
<string>authsrv:accuhive.okta.com</string>
</array>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Associated Domains for Okta Verify</string>
<key>PayloadIdentifier</key>
<string>F65C9B21-13AD-4F46-86E5-C3352E7D97B6</string>
<key>PayloadOrganization</key>
<string>CUSTOMER NAME</string>
<key>PayloadType</key>
<string>com.apple.associated-domains</string>
<key>PayloadUUID</key>
<string>F65C9B21-13AD-4F46-86E5-C3352E7D97B6</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>PlatformSSO</key>
<dict>
<key>AuthenticationMethod</key>
<string>Password</string>
</dict>
<key>ExtensionIdentifier</key>
<string>com.okta.mobile.auth-service-extension</string>
<key>Hosts</key>
<array/>
<key>TeamIdentifier</key>
<string>B7F62B65BN</string>
<key>Type</key>
<string>Redirect</string>
<key>URLs</key>
<array>
<!-- replace accuhive.okta.com with your tenant address -->
<string>https://accuhive.okta.com/device-access/api/v1/nonce</string>
<string>https://accuhive.okta.com/oauth2/v1/token</string>
</array>
<key>PayloadDisplayName</key>
<string>Okta Verify Sign-On Extensions Payload</string>
<key>PayloadIdentifier</key>
<string>77058B08-6943-4DEC-899A-721F55B4EEE8</string>
<key>PayloadOrganization</key>
<string>CUSTOMER NAME</string>
<key>PayloadType</key>
<string>com.apple.extensiblesso</string>
<key>PayloadUUID</key>
<string>77058B08-6943-4DEC-899A-721F55B4EEE8</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Okta PSSO extension configuration</string>
<key>PayloadDisplayName</key>
<string>Okta PSSO extension</string>
<key>PayloadIdentifier</key>
<string>com.customer-name.profiles.ssoextension</string>
<key>PayloadOrganization</key>
<string>CUSTOMER NAME</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>D78FE406-0C61-4007-8C51-FFA5FDE5F54B</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Okta Verify config:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<!-- replace accuhive.okta.com with your tenant -->
<key>OktaVerify.OrgUrl</key>
<string>https://accuhive.okta.com</string>
<!-- replace YOUR_CLIENT_ID with your Desktop Password Sync app Client ID -->
<key>OktaVerify.PasswordSyncClientID</key>
<string>YOUR_CLIENT_ID</string>
<!-- optional keys-->
<key>OktaVerify.EnrollmentOptions</key>
<string>SilentEnrollmentEnabled</string>
<key>OktaVerify.ReportDiagnostics</key>
<true/>
<key>OktaVerify.UserPrincipalName</key>
<string>username@domain.com</string>
<!-- optional keys-->
<key>PayloadDescription</key>
<string>Configures Okta Verify settings</string>
<key>PayloadDisplayName</key>
<string>Okta Verify configuration</string>
<key>PayloadIdentifier</key>
<string>DEB5863A-E503-468C-A3DE-D90479F1E10A</string>
<key>PayloadOrganization</key>
<string>CUSTOMER NAME</string>
<key>PayloadType</key>
<string>com.okta.mobile</string>
<key>PayloadUUID</key>
<string>1D89FEA8-BAFE-42F5-9393-634BE23009D8</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<!-- replace accuhive.okta.com with your tenant -->
<key>OktaVerify.OrgUrl</key>
<string>https://accuhive.okta.com</string>
<!-- replace YOUR_CLIENT_ID with your Desktop Password Sync app Client ID -->
<key>OktaVerify.PasswordSyncClientID</key>
<string>YOUR_CLIENT_ID</string>
<!-- optional keys-->
<key>OktaVerify.EnrollmentOptions</key>
<string>SilentEnrollmentEnabled</string>
<key>OktaVerify.ReportDiagnostics</key>
<true/>
<key>OktaVerify.UserPrincipalName</key>
<string>username@domain.com</string>
<!-- optional keys-->
<key>PayloadDescription</key>
<string>Configures Okta Verify settings</string>
<key>PayloadDisplayName</key>
<string>Okta Verify (auth service) configuration</string>
<key>PayloadIdentifier</key>
<string>E5F1356E-3B04-43F7-8E8C-2213F7D74B13</string>
<key>PayloadOrganization</key>
<string>CUSTOMER NAME</string>
<key>PayloadType</key>
<string>com.okta.mobile.auth-service-extension</string>
<key>PayloadUUID</key>
<string>6764E8E4-0A37-4206-96E2-A73B2DFA5673</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Configures settings</string>
<key>PayloadDisplayName</key>
<string>Okta Verify Configuration</string>
<key>PayloadIdentifier</key>
<string>com.customer-name.profiles.oktaverify</string>
<key>PayloadOrganization</key>
<string>CUSTOMER NAME</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>9A641D93-471C-44D7-8B54-264E842A12C8</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
com.apple.preference.security config:
<plist version=”1.0”>
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>dontAllowPasswordResetUI</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.customer-name.profiles.dontAllowPasswordResetUI</string>
<key>PayloadType</key>
<string>com.apple.preference.security</string>
<key>PayloadUUID</key>
<string>d99bb019-1010-447f-8fed-8f223cc56be3</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Restrict Local Password Reset for Okta's PSSO extension</string>
<key>PayloadIdentifier</key>
<string>com.customer-name.restrictLocalPasswordReset</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>b44b6a04-6527-4333-1010-46422e8a5844</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>