Support your Desktop Password Sync users
When users register their macOS device and link the local computer account with an Okta account, the device password and the Okta password sync. The device password is replaced with the Okta password. The synced password can access anything that previously required the local account password. If a user changes their Okta password, they need to lock the computer and then unlock it with the updated password for the service to sync the device and the IdP password.
To prepare users for the changes to their sign-in flow, Okta has prepared a series of templates to communicate Desktop Password Sync plans. Download the templates from the Launch Kit for Okta Admins, and use the appropriate wording to explain the new authentication process to users.
Establish a bug reporting channel
Ask users to report issues or bugs in Okta Verify from their mobile device. The Menu bar of their Okta Verify mobile app contains a Send Feedback link. Users should tap Report a bug and fill out the form. System Logs are automatically attached, and the report is sent to Okta. Users should then contact someone within your organization for assistance signing in to the computer.
Password synchronization
A user's password is synchronized at specific points in the workflow. Consult the table to determine the expected behavior from Desktop Password Sync.
|
Behavior |
Result |
|---|---|
| User completes Desktop Password Sync registration. | Password syncs if the local account password is different from the Identity Provider password. |
| User changes local account password. | Password syncs if the user enters their Identity Provider password to unlock the device, or when the system notification appears, prompting the user to sign in to their Identity Provider account upon token expiration. |
| User changes the Identity Provider password. | Password syncs if the user enters their Identity Provider password to unlock the device, or when the system notification appears, prompting the user to sign in to their Identity Provider account upon token expiration. |
| User enters a changed Identity Provider password at the device sign-in screen. | Sign in fails. Platform Single Sign-on doesn't support password synchronization at the sign-in window. Users must enter their old password to sign in, and then they're prompted to resync the device to their new password. |
| User changes a password locally using the macOS Password Expiration prompt. |
Sign in fails. This password isn't synced with Okta, and the password attempts to revert to a previous password. This isn't possible due to the MDM password policies in place. In your MDM, disable local password expiration for the affected user's macOS accounts. The macOS password expiration policy is redundant with the Okta password policy, and isn't compatible with Desktop Password Sync. |