Configure Desktop Password Sync for macOS 26

Desktop Password Sync now supports macOS 26 Tahoe. In addition to the previously supported Platform Single Sign-on (Platform SSO) flows, this support extends Platform SSO authentication to Apple Setup Assistant as part of your Automated Device Enrollment process.

With Desktop Password Sync, your users can enter their Okta username and password during the Automated Device Enrollment to create their local macOS account. This creates an MDM-managed user with Okta credentials and these can't be altered during the device setup phase.

Platform SSO is supported only on physical Mac computers with Apple silicon. See Mac computers with Apple silicon for a list of supported systems.

For Okta orgs with Okta FastPass enabled, this means that when the Setup Assistant finishes, the user has a local macOS account that is synced with their Okta password and a pre-enrolled Okta FastPass authenticator.

Before you begin

To prepare for Desktop Password Sync for macOS 26 Tahoe, ensure that you meet the following requirements:

Desktop Password Sync is configured correctly. See Create and configure the Platform Single Sign-on app.
Your devices have Okta Verify for macOS version 9.52 or later installed.
- To get the latest version from the Admin Console, go to Settings Downloads, and download Okta Verify for macOS.
- To confirm which version of Okta Verify is installed on a Mac computer, right-click the Okta Verify icon on the menu bar, and then click About.
To configure the macOS account name and display name, you need to create a custom attribute for username mapping. Set the VariableName to the macOSAccountUsername or macOSAccountFullName for the Platform SSO app. See Add custom attributes to apps, directories, and identity providers and Map Okta attributes to app attributes in the Profile Editor.

Platform SSO 2.0 configuration

To configure Platform SSO, follow the instructions in Configure Desktop Password Sync for macOS 15.

For macOS 26 Tahoe, there's one extra step required to activate Platform SSO when using Setup Assistant.

When you create the SSO extension profile, set the Enable registration during setup to Enabled.

To configure your device management profiles:

In your MDM, locate the PlatformSSO profile.
Edit the profile and enable the following:
- New User Authorization Mode: This value determines the privilege type of the account being created. Set the account to Admin or Standard.
- User Mapping:
  - Set macOSAccountUsername as the AccountName
  - Use macOSAccountFullName as the FullName
Save the profile.

Automated Device Enrollment configuration

The configuration for Automated Device Enrollment varies depending on your device management system. Refer to your MDM vendor instructions for full details.

For Desktop Password Sync, configure the following items as part of your Automated Device Enrollment process:

Enable Simplified Setup for Platform Single Sign-On.
Set the value of the Platform Single Sign-On Bundle ID to com.okta.mobile.
Scope these configuration profiles to the device:
- Device Access SCEP
- Platform SSO 2.0 configuration
Enable Okta Verify as an Enrollment Package.

Next steps

Support your users