Link an end user account to macOS

Account linking on macOS for Okta Desktop MFA connects a user's local macOS user account with their Okta identity.

This enables users to sign in to the macOS computer with their Okta MFA factors. If you also want to link their Okta password for the device, use Desktop Password Sync for macOS.

Requirements

  • Okta Verify acts as the bridge between the macOS sign-in process and Okta and handles device registration and user authentication. Use the version downloaded from the Okta Admin Console, as the Apple App Store version doesn't support Okta Device Access features.

  • A Mobile Device Management (MDM) solution like Jamf Pro, Kandji, or Microsoft Intune to deploy the Okta Verify package and the necessary configuration profiles to your macOS devices. These profiles contain the settings that enable Desktop MFA and define its behavior.

  • The Desktop MFA app integration within your Admin Console that's configured for macOS. This app has a unique client ID and secret used in the deployment. See Create and configure the Desktop MFA app for macOS

End user procedure

  1. After you deploy Desktop MFA to a macOS device, then the first time a user signs in to their computer, the system prompts them to sign in to their Okta account.

  2. The user enters their Okta username.

  3. Okta then issues an MFA challenge, using the methods configured for your org.

    • The Okta Verify Push method is the most common, where a push notification is sent to the user's mobile device that has Okta Verify installed. The user approves the request on their phone. Depending on your org configuration, this can include a number challenge for enhanced security.

    • For the Okta Verify TOTP method, the user enters a code generated by the Okta Verify app on their mobile device.

    • With the FIDO2 security key method, users can sign in with a configured security key (like a YubiKey) for authentication. See Configure Desktop MFA for macOS to use FIDO2 keys.

  4. After the user successfully completes the MFA challenge, their local macOS account is linked to their Okta identity.

    As part of this process, users are prompted to set up an offline authentication factor. This allows them to sign in to their computer if their system is offline or if they don't have access to their primary Okta Verify device. The primary offline factor supported for macOS is an offline one-time password.

  5. After the initial linking, users can continue to sign in to their computer using their Okta credentials and the configured MFA factor.

Related links

Desktop Password Sync for macOS

Desktop MFA for macOS