Configure Desktop Password Sync for macOS

Desktop Password Sync for macOS reduces the number of passwords that users need to remember. When you configure and deploy Desktop Password Sync, users are prompted to register the device and link their local account with Okta. After registration is complete, the local account password syncs with the Okta password, and users can use their Okta password to sign in to macOS. Desktop Password Sync replaces a user's local macOS password with the user's Okta password.

Set up the Desktop Password Sync app integration in the Okta Admin Console, and then configure the device management profiles in your mobile device management (MDM) solution. You can push the packaged installer to specific users or groups for immediate registration.

Depending on your configuration, the registration flow for Desktop Password Sync enrolls users in Okta FastPass and may enable Touch ID. If Okta FastPass requires biometrics based on your admin and org configurations, users must have Touch ID set up before starting the Desktop Password Sync enrollment flow.

Prerequisites

Ensure that you meet these requirements:

  • Your Okta Identity Engine org is available.

  • Your macOS computers are running a minimum of macOS Ventura (13.0). Version 13.5 is recommended for the best user experience.

  • The Okta Verify authenticator is set up in your org.

  • Devices must be enrolled in a mobile device management (MDM) software that supports deployment of payloads.

  • Users must have a password configured. Note that this is different from a passwordless sign in, during which there's a password in the background but it remains unused during authentication. True passwordless users have no password set.

  • The Desktop Password Sync application is available for your organization. If you can't locate the Desktop Password Sync app in the app catalog, contact your account representative.

  • Optional: If your org requires biometrics for user authentication, then users must have Touch ID set up before starting the Desktop Password Sync enrollment flow.

  • Disable macOS password expiration with your MDM before deploying Desktop Password Sync.

    • If your org requires password rotation, add expiration to the Okta accounts that require it.

Use Okta Verify version 9.1.0 or newer if your org has macOS users that use a system language other than English.

Tasks

Create and configure the Desktop Password Sync app integration

  1. Sign in to your Okta tenant as a super admin.

  2. In the Admin Console, go to Applications Applications Catalog.

  3. Search for Desktop Password Sync and select the app.

  4. Click Add integration. If you get an error message saying This feature isn’t enabled, contact your account representative.

  5. Open Desktop Password Sync from your Applications list to configure it:

    • On the General tab, you can edit the application label or use the default label.

    • On the Sign on tab, make note of the Client ID. You need this when creating the managed app configuration in your MDM.

    • Assign the app to individual users or groups on the Assignments tab. Users must be assigned the app to use Desktop Password Sync.

  6. Click Save.

Download Okta Verify for macOS

Desktop Password Sync is part of Okta Device Access, which uses Okta Verify for device registration and user authentication. In the Admin Console, go to Settings Downloads and download Okta Verify for macOS. You must download the Okta Verify package from the Admin Console and not from an App Store. If the Okta Device Access product has been enabled for your organization, Desktop Password Sync can be configured and deployed. Contact your account representative for more information.

Next steps

Configure device management profiles for Desktop Password Sync

Support your Desktop Password Sync users