Desktop Password Sync for macOS

The Desktop Password Sync feature for macOS uses Apple's Platform Single Sign-on (Platform SSO) feature to reduce the number of passwords that users need to remember. Okta also supports Platform SSO through the Apple Setup Assistant, allowing users to enroll their device and link their Okta account as part of the initial macOS setup process. This streamlines device provisioning and ensures a seamless first-time user experience.

When you configure and deploy Desktop Password Sync for existing macOS accounts, users are prompted to register the device and link their local account with Okta. After registration is complete, the local account password syncs with the Okta password, and users can use their Okta password to sign in to macOS. Desktop Password Sync replaces a user's local macOS password with the user's Okta password.

Registration flow

Depending on your configuration, the registration flow for Desktop Password Sync enrolls users in Okta FastPass and may enable Touch ID.

If Okta FastPass requires biometrics based on your admin and org configurations, users with existing macOS accounts must have Touch ID set up before starting the Desktop Password Sync enrollment flow.

Platform SSO support

Okta supports the following Platform SSO configurations:

  • Platform SSO using macOS 13 Ventura.

  • Platform SSO 2.0 is available for macOS computers on macOS 14 Sonoma and later. This allows users to use Desktop Password Sync directly from the macOS login window.

  • Platform SSO through Setup Assistant for macOS 26 Tahoe and later with a supported MDM.

If your org uses Platform SSO 2.0, users can only register one Okta account per device. For example, consider a scenario where a user is enrolled in Desktop Password Sync as user@company.com and syncs using the local account on the device. Then user@company.com can't enroll a second local account with the same Okta credentials until the device is restored to the factory settings.

Tasks

Set up the Platform Single Sign-on app in the Admin Console, and then configure the device management profiles in your mobile device management (MDM) solution. You can push the profiles to specific users or groups for immediate registration.

Follow these steps in sequence to avoid configuration issues:

Before you begin

Ensure that you meet these requirements:

  • The Okta Verify authenticator is set up in your org.
  • Your macOS computers are running a minimum of macOS 13 Ventura.

    • If your computers are running macOS 14 Sonoma or later, use the Platform SSO 2.0 protocol.

    • To use Platform SSO 2.0, set up Device Access certificates before configuring the app integration.

  • Enroll devices using mobile device management (MDM) software that supports deployment of payloads.
  • Users must have a password configured. This is different from a passwordless sign-in flow. During a passwordless sign-in flow, there's a password in the background but it remains unused during authentication. True passwordless users have no password set.
  • The Platform Single Sign-on app is available for your org. If you can't locate the app in the app catalog, contact your account representative.
  • Optional. If your org requires biometrics for user authentication, then users must have Touch ID set up before starting the enrollment flow.
  • Disable macOS password expiration with your MDM before deploying. If your org requires password rotation, add password expiration to the Okta accounts that require it.

Create and configure the Platform Single Sign-on app

  1. Sign in to your Okta org as a super admin.

  2. In the Admin Console, go to ApplicationsApplications.

  3. Click Browse App Catalog.

  4. Search for Platform Single Sign-on and select the app.

  5. Click Add integration.

    If you get an error message saying This feature isn't enabled, contact your account representative.

  6. Optional. Update the app label if you prefer a different name.

  7. Click Done to add the app integration.

  8. On the Sign On tab, copy the Client ID. You need this value when creating your MDM configuration profiles.

  9. To use Desktop Password Sync, users must have the Platform Single Sign-on app assigned. Click the Assignments tab and assign the app to individual users or groups.

Next step

Configure device management profiles