Configure Desktop Password Sync for macOS

Okta's Desktop Password Sync uses Apple's Platform Single Sign-on (Platform SSO) feature to reduce the number of passwords that users need to remember. When you configure and deploy Desktop Password Sync , users are prompted to register the device and link their local account with Okta. After registration is complete, the local account password syncs with the Okta password, and users can use their Okta password to sign in to macOS. Desktop Password Sync replaces a user's local macOS password with the user's Okta password.

Set up the Platform Single Sign-on app integration in the Admin Console, and then configure the device management profiles in your mobile device management (MDM) solution. You can push the profiles to specific users or groups for immediate registration.

Depending on your configuration, the registration flow enrolls users in Okta FastPass and may enable Touch ID. If Okta FastPass requires biometrics based on your admin and org configurations, users must have Touch ID set up before starting the enrollment flow.

Okta supports Platform SSO for macOS computers using Ventura (13.0) and later. Support for Platform SSO 2.0 is available for macOS computers using Sonoma (14.0) and later. Platform SSO 2.0 allows users to use Desktop Password Sync directly from the macOS login window.

If your org is using Platform SSO 2.0, users can only register one Okta account per device. For example, if a user is enrolled in Desktop Password Sync as user@company.com and has synced with the local account on the device, user@company.com isn't able to enroll a second local account with the same Okta user unless the device has been restored to its factory settings. See Support your Desktop Password Sync users.

Prerequisites

Ensure that you meet these requirements:

• Your Okta Identity Engine org is available.
• The Okta Verify authenticator is set up in your org.
• Your macOS computers are running a minimum of macOS Ventura (13.0 and later. Best practice is 13.5).
  • If your computers are running macOS Sonoma (14.0) or later, use the Platform SSO 2.0 protocol.
  • To use Platform SSO 2.0, Set up Device Access SCEP certificates before configuring the app integration.
• Devices must be enrolled in a mobile device management (MDM) software that supports deployment of payloads.
• Users must have a password configured. Note that this is different from a passwordless sign-in flow. During a passwordless sign-in flow, there's a password in the background but it remains unused during authentication. True passwordless users have no password set.
• The Platform Single Sign-on app is available for your org. If you can't locate the app in the app catalog, contact your account representative.
• Optional: If your org requires biometrics for user authentication, then users must have Touch ID set up before starting the enrollment flow.
• Disable macOS password expiration with your MDM before deploying.
  • If your org requires password rotation, add expiration to the Okta accounts that require it.

Tasks

• Create and configure the app integration

• Download Okta Verify for macOS

• Set up Device Access SCEP certificates

• Configure device management profiles for Desktop Password Sync

Create and configure the app integration

1. Sign in to your Okta tenant as a super admin.

2. In the Admin Console, go to Applications Applications Catalog.

3. Search for Platform Single Sign-on and select the app. This is the new name for Desktop Password Sync within the Okta Admin Console.

4. Click Add integration. If you get an error message saying This feature isn't enabled, contact your account representative.

5. Open Desktop Password Sync from your Applications list to configure it:

   • On the General tab, you can edit the application label or use the default label.

   • On the Sign on tab, make note of the Client ID. You need this when creating the managed app configuration in your MDM.

   • Assign the app to individual users or groups on the Assignments tab. Users must be assigned the app to use Desktop Password Sync.

6. Click Save.

Download Okta Verify for macOS

Desktop Password Sync is part of Okta Device Access, which uses Okta Verify for device registration and user authentication. In the Admin Console, go to SettingsDownloads and download Okta Verify for macOS. You must download the Okta Verify package from the Admin Console and not from an App Store. If the Okta Device Access product has been enabled for your org, Desktop Password Sync can be configured and deployed. Contact your account representative for more information.

Next steps

Configure device management profiles for Desktop Password Sync

Configure Platform Single Sign-on for macOS 14

Support your Desktop Password Sync users