Configure Desktop Password Sync for macOS 26

Desktop Password Sync now supports macOS 26 Tahoe. In addition to the previously supported Platform Single Sign-on (Platform SSO) flows, this support extends Platform SSO authentication to Apple Setup Assistant as part of your Automated Device Enrollment process.

With Desktop Password Sync, your users can enter their Okta username and password during the Automated Device Enrollment to create their local macOS account. This creates an MDM-managed user with Okta credentials and these can't be altered during the device setup phase.

Platform SSO is supported only on physical Mac computers with Apple silicon. See Mac computers with Apple silicon for a list of supported systems.

For Okta orgs with Okta FastPass enabled: When the Setup Assistant finishes, the user has a local macOS account that's synced with their Okta password and a pre-enrolled Okta FastPass authenticator.

Before you begin

To prepare for Desktop Password Sync for macOS 26 Tahoe, ensure that you meet the following requirements:

  • Desktop Password Sync is configured correctly. See Create and configure the Platform Single Sign-on app.

  • Your devices have Okta Verify for macOS version 9.52 or later installed.

    • To get the latest version from the Admin Console, go to Settings Downloads, and download Okta Verify for macOS.

    • To confirm which version of Okta Verify is installed on a Mac computer, right-click the Okta Verify icon on the menu bar, and then click About.

  • If your org uses a different format for the macOS account name and display name, you must create a custom attribute for username mapping.

    By default, the Okta username is used as the macOS username and the Okta First name + Family name value is used as the macOS user display name.

    To override these values, you can add custom attributes to the app in the Profile Editor and map them as desired:

    1. If you haven't already, add the Platform Single Sign-on for macOS app through the Admin Console.

    2. In the Admin Console, go to DirectoryProfile Editor.

    3. Search for and open the Platform Single Sign-on for macOS app.

    4. Click Add Attribute.

    5. Add a string attribute for use as the macOS username:

      1. Set the Display name and Variable Name fields to macOSAccountUsername.

      2. Enable the Yes checkbox for the Attribute required field.

      3. Click Save.

    6. Repeat to add a macOSAccountFullName attribute. Okta uses this attribute as the macOS display name.

    7. Click Mappings and then Configure User mappings.

    8. On the User Profile Mappings dialog, select the Okta User to Platform Single Sign-on for macOS tab.

      The Okta attributes user.login and user.display are mapped to the macOSAccountUsername and macOSAccountFullName attributes, respectively. If you want to modify these fields, choose a different Okta attribute or add an expression (using Okta Expression Language) to the fields.

    9. Click Save Mappings.

    See Add custom attributes to apps, directories, and identity providers and Map Okta attributes to app attributes in the Profile Editor.

Platform SSO 2.0 configuration

To configure Platform SSO, follow the instructions in Configure Desktop Password Sync for macOS 15.

For macOS 26 Tahoe, there's one extra step required to activate Platform SSO when using Setup Assistant.

When you create the SSO extension profile, set the Enable registration during setup to Enabled.

To configure your device management profiles:

  1. In your MDM, locate the PlatformSSO profile.

  2. Edit the profile and enable the following:

    • New User Authorization Mode: This value determines the privilege type of the account being created. Set the account to Admin or Standard.

    • User Mapping:

      • Set macOSAccountUsername as the AccountName

      • Use macOSAccountFullName as the FullName

  3. Save the profile.

Automated Device Enrollment configuration

The configuration for Automated Device Enrollment varies depending on your device management system. Refer to your MDM vendor instructions for full details.

For Desktop Password Sync, configure the following items as part of your Automated Device Enrollment process:

  • Enable Simplified Setup for Platform Single Sign-On.

  • Set the value of the Platform Single Sign-On Bundle ID to com.okta.mobile.

  • Scope these configuration profiles to the device:

    • Device Access SCEP

    • Platform SSO 2.0 configuration

  • Enable Okta Verify as an Enrollment Package.

Next steps

Support your users