Configure and deploy Desktop MFA policies for macOS
Limited Early Access release
Set up Desktop MFA for macOS and create managed profiles to enable the MFA workflow on your macOS computers. Use any device management solution that supports deploying macOS installer packages and configuration profiles. These instructions assume the use of Jamf Pro for device management.
When deploying the Desktop MFA MDM profiles, ensure they've been successfully pushed to devices before deploying the macOS Okta Verify package. If the MDM profile doesn't exist on the user's device when the package installer runs, Desktop MFA isn't installed.
Tasks
Upload the Okta Verifyfor macOS package to your MDM
Upload the Okta Verify for macOS package you downloaded from the Okta Admin Console to your MDM. In Jamf Pro, go to . Click + New to configure the package details.
Configure the Desktop MFA for macOS installation process
-
In Jamf, click and click + New.
-
Add a Display Name and select Login for the policy Trigger.
-
Next, click Packages, and then click Configure. Locate the Okta Verify package that you uploaded in the previous step and click the Add button next to the package.
-
Configure the Distribution point.
-
Using the dropdown, select Install as the Action.
-
Click Save.
Ensure that the MDM profile has been successfully deployed to end user devices before deploying the macOS Okta Verify package.
Add Desktop MFA policies by plist
-
In Jamf, click Configuration Profiles and then click + New.
-
Enter a name for the profile.
-
Click Application & Custom Settings to configure the payload. Click Upload.
-
Click + Add.
-
Enter com.okta.deviceaccess.servicedaemon as the Preference Domain.
-
Add the values for your organization in a plist format. Use the table below the plist example to determine the appropriate parameters for your org.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DMFAClientID</key>
<string>add-your-client-ID-here</string>
<key>DMFAClientSecret</key>
<string>add-your-client-secret-here</string>
<key>DMFAOrgURL</key>
<string>https://add-your-org-URL-with-prefix-here</string>
<key>LoginPeriodWithOfflineFactor</key>
<real>24</real>
<key>LoginPeriodWithoutEnrolledFactor</key>
<real>48</real>
<key>AdminEmail</key>
<string>admin@yourorg.com</string>
<key>AdminPhone</key>
<string>111-222-3333</string>
<key>MFARequiredList</key>
<array>
<string>*</string>
</array>
</dict>
</plist>| Value name | Description | Default value |
| LoginPeriodWithoutEnrolledFactor | Sets a grace period, in hours, that a user can sign in with only a password and without enrolling any factors. Once this grace period has passed, the user must link their account and enroll an offline authentication factor to access the computer. | 48 hours |
| LoginPeriodWithOfflineFactor | If this is set to 0, a user can’t log in with offline factors. If LoginPeriodWithoutEnrolledFactor is greater than 0, users are required to sign in with an online factor every X hours. | 24 hours |
| MFANotRequiredList | Users listed in MFANotRequiredList won't have Desktop MFA enforced. This list takes priority over MFARequiredList. Accounts listed here are case sensitive. | Empty |
| MFARequiredList | Some users who have Desktop MFA installed may not be required to use MFA. For example, if local user “john-smith” is named in MFARequiredList, they must use MFA. If a user isn't on this list and Desktop MFA is installed, the user is only prompted for a password. If a user is on this list and Desktop MFA is installed, the user is prompted to use MFA. Accounts listed here are case sensitive. | * MFA applies to all users |
| AdminEmail | Enter an email address for end users to get support. | Empty |
| AdminPhone | Add a phone number for end users to get immediate support. | Empty |
Next steps
Troubleshoot Desktop MFA for macOS
Users: Set up a device access code for macOS