Just-In-Time Local Account Creation for macOS

Just-In-Time Local Account Creation allows users to create an account on a macOS computer using their Okta username and password from the macOS login screen. Admins can streamline the account creation process for any Okta user in their tenant, which is especially beneficial for shared devices or workstations that support multiple users.

This feature uses Platform Single Sign-on (Platform SSO), part of the identity framework from Apple.

Before you begin

  1. Check that the Okta username is in an email format. See Create a custom character restriction for the Okta username. Characters not supported by macOS, such as +, don't appear in the username.

  2. Ensure that the Okta user's first name and family name are populated. The macOS account details are generated from this information.

  3. If your org uses a different format for usernames, you must create a custom attribute for username mapping.

    By default, the Okta username is used as the macOS username. Similarly, the combined Okta First name + Family name value is used for the macOS user display name.

    However, if your org uses a different format for the macOS account name and display name, you need to create custom attributes for these mappings.

    To override the default values, use the Profile Editor to add and map custom attributes for the app.

    1. If you haven't already, add the Platform Single Sign-on for macOS app through the Admin Console.

    2. In the Admin Console, go to Directory > Profile Editor .

    3. Search for and open the Platform Single Sign-on for macOS app.

    4. Click Add Attribute.

    5. Add a string attribute for use as the macOS username:

      1. Set the Display name and Variable Name fields to macOSAccountUsername.

      2. Enable the Yes checkbox for the Attribute required field.

      3. Click Save and Add Another.

    6. Add another string attribute called macOSAccountFullName. Okta uses this attribute as the macOS display name.

    7. Click Save.

    8. Click Mappings and then Configure User mappings.

    9. In the User Profile Mappings dialog, select the Okta User to Platform Single Sign-on for macOS tab.

    10. Enter the following attribute mappings:

      • user.login: macOSAccountUsername

      • user.displayName: macOSAccountFullName

    11. Click Save Mappings.

    If you need to modify these fields any further, you can choose a different Okta attribute or add an expression to the fields using Okta Expression Language. See Add custom attributes to apps, directories, and identity providers and Map Okta attributes to app attributes in the Profile Editor.

Start this task

Follow these steps in sequence to avoid configuration issues:

  1. Configure Device Access certificates. JIT Local Account Creation requires certificates enrolled using the Simple Certificate Enrollment Protocol (SCEP).
  2. Configure device management profiles for Just-In-Time Local Account Creation. Add these values to your Platform SSO profile before using JIT Local Account Creation.
  3. Configure the macOS device using JIT Local Account Creation and hand it off to the user.

Configure Device Access certificates

Just-In-Time Local Account Creation for macOS requires you to enroll client certificates using SCEP. Your Mobile Device Management (MDM) software deploys these certificates. They're used to grant access to API endpoints and to identify the device to Okta when making calls to API endpoints.

Review and complete the steps in Device Access certificates, then return here to continue to enable JIT Local Account Creation.

Configure device management profiles for Just-In-Time Local Account Creation

Using JIT Local Account Creation requires you to make some configuration changes to your existing MDM profiles. These instructions assume you're using Jamf Pro for device management. If you're using a different MDM solution, the names of the fields may differ.

  1. In your MDM, locate the PlatformSSO profile.

  2. Edit the profile and enable the following:

    • Create New User at Login: EnableCreateUserAtLogin

    • New User Authorization Mode: This value determines the privilege type of the account being created. Set the account to Admin or Standard.

    • Use Shared Device Keys: UseSharedDeviceKeys

    • User Mapping:

      • Set macOSAccountUsername as the AccountName

      • Use macOSAccountFullName as the FullName

    • Registration Token: Enter any random value. This value isn't used because the profile uses the certificate instead of a token, but you must populate the field.

  3. Locate the device management profile for the com.okta.mobile.auth-service-extension domain.

  4. Edit the profile and add the following:

    <key>PlatformSSO.ProtocolVersion</key>
<string>2.0</string>

  5. Save the profile.

  6. If you're presented with an option to push the updated profile to your users, do this now.

View a Sample Jamf Platform SSO profile with JIT Local Account Creation parameters for reference.

Set up the new device for JIT Local Account Creation

The devices or virtual machines provisioned using JIT Local Account Creation must meet the following requirements:

  • The computer is running macOS 14 Sonoma or greater.

  • The device is enrolled in an MDM solution with support for bootstrap tokens enabled. See Manually Leveraging Apple's Bootstrap Token Functionality.

  • The Setup Assistant is complete and an initial local administrator account created.

  • The Platform SSO MDM profiles have been pushed to the machine.

  • Certificates enrolled with SCEP are present on the computer.

  • Okta Verify for macOS version 9.25.0 or greater is installed.

  • The user exists within Okta.

After the device requirements are met, an IT administrator completes the following steps on the computer:

  1. Sign in to the administrator account on the device. The device is silently registered using the Device Access certificate to authenticate the identity of the device and enroll the Platform SSO keys.

  2. Verify that the device was successfully registered:

    • The Registration Required notification appears, advising the user to sign in with their credentials, or

    • Run app-sso platform -s in a macOS Terminal window. If successful, this should return Device Configuration.registrationCompleted = true and the Login Configuration object isn't null.

  3. If the device wasn't successfully registered, review the Okta Verify logs to find the reason for the failure. Resolve the issue and restart the device registration process by signing out and back in again.

  4. Optional. Complete the Desktop Password Sync registration (this enrolls the IT administrator's account to Okta FastPass).

  5. On the macOS device, open System Settings > Users & Groups. Confirm that there are no duplicate accounts with similar names on the computer (for example, j.smith and jl.smith). If extra accounts are found, delete the extra users and ensure that the home directories are removed from /Users/.

  6. Open System Settings > Lock Screen > When Switching User > Login window shows > Name and Password. This setting allows the username to appear on the macOS login window.

At this point, the computer is ready to hand off to the end user.

Sample Jamf PlatformSSO profile

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>Configuration</key>
            <array>
                <dict>
                    <key>ApplicationIdentifier</key>
                    <string>B7F62B65BN.com.okta.mobile.auth-service-extension</string>
                    <key>AssociatedDomains</key>
                    <array>
                        <!-- replace accuhive.okta.com with your tenant address -->
                        <string>authsrv:accuhive.okta.com</string>
                    </array>
                </dict>
            </array>
            <key>PayloadDisplayName</key>
            <string>Associated Domains for Okta Verify</string>
            <key>PayloadIdentifier</key>
            <string>F65C9B21-13AD-4F46-86E5-C3352E7D97B6</string>
            <key>PayloadOrganization</key>
            <string>CUSTOMER NAME</string>
            <key>PayloadType</key>
            <string>com.apple.associated-domains</string>
            <key>PayloadUUID</key>
            <string>F65C9B21-13AD-4F46-86E5-C3352E7D97B6</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
              <key>PlatformSSO</key>
                        <dict>
                            <key>AccountDisplayName</key>
                            <string>Actor</string>
                            <key>AuthenticationMethod</key>
                            <string>Password</string>
                            <key>EnableCreateUserAtLogin</key>
                            <true/>
                            <key>TokenToUserMapping</key>
                            <dict>
                                <key>AccountName</key>
                                <string>macOSAccountUsername</string>
                                <key>FullName</key>
                                <string>macOSAccountFullName</string>
                            </dict>
                            <key>UseSharedDeviceKeys</key>
                            <true/>
                        </dict>
                        <key>RegistrationToken</key>
                        <string>********</string>
            <key>ExtensionIdentifier</key>
            <string>com.okta.mobile.auth-service-extension</string>
            <key>Hosts</key>
            <array/>
            <key>TeamIdentifier</key>
            <string>B7F62B65BN</string>
            <key>Type</key>
            <string>Redirect</string>
            <key>URLs</key>
            <array>
                <!-- replace accuhive.okta.com with your tenant address -->
                <string>https://accuhive.okta.com/device-access/api/v1/nonce</string>
                <string>https://accuhive.okta.com/oauth2/v1/token</string>
            </array>
            <key>PayloadDisplayName</key>
            <string>Okta Verify Sign-On Extensions Payload</string>
            <key>PayloadIdentifier</key>
            <string>77058B08-6943-4DEC-899A-721F55B4EEE8</string>
            <key>PayloadOrganization</key>
            <string>CUSTOMER NAME</string>
            <key>PayloadType</key>
            <string>com.apple.extensiblesso</string>
            <key>PayloadUUID</key>
            <string>77058B08-6943-4DEC-899A-721F55B4EEE8</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Okta PSSO extension configuration</string>
    <key>PayloadDisplayName</key>
    <string>Okta PSSO extension</string>
    <key>PayloadIdentifier</key>
    <string>com.customer-name.profiles.ssoextension</string>
    <key>PayloadOrganization</key>
    <string>CUSTOMER NAME</string>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>D78FE406-0C61-4007-8C51-FFA5FDE5F54B</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>