Configure and deploy Desktop MFA policies

Set up Desktop MFA for macOS and create managed profiles to enable the MFA capability on your macOS computers. Use any device management solution that supports deploying macOS installer packages and configuration profiles. These instructions assume the use of Jamf Pro for device management.

When you deploy the Desktop MFA MDM profiles, ensure that they've been successfully pushed to devices before deploying the macOS Okta Verify package. If the MDM profile doesn't exist on the user's device when the package installer runs, Desktop MFA isn't installed.

Tasks

Upload the Okta Verify for macOS package to your MDM

Upload the Okta Verify for macOS package that you downloaded from the Okta Admin Console to your MDM. In Jamf Pro, go to Settings Computer management Packages. Click + New to configure the package details.

Configure the Desktop MFA for macOS installation process

  1. In Jamf, click Computers Policies and click + New.

  2. Add a Display Name and select Login for the policy Trigger.

  3. Next, click Packages, and then click Configure. Locate the Okta Verify package that you uploaded in the previous step and click the Add button next to the package.

  4. Configure the Distribution point.

  5. Using the dropdown, select Install as the Action.

  6. Click Save.

Ensure that the MDM profile has been successfully deployed to end user devices before deploying the macOS Okta Verify package.

Add Desktop MFA policies by plist

  1. In Jamf, click Configuration Profiles and then click + New.

  2. Enter a name for the profile.

  3. Click Application & Custom Settings to configure the payload. Click Upload.

  4. Click + Add.

  5. Enter com.okta.deviceaccess.servicedaemon as the Preference Domain.

  6. Add the values for your organization in a plist format. Use the table below the plist example to determine the appropriate parameters for your org.

Copy 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DMFAClientID</key>
<string>add-your-client-ID-here</string>
<key>DMFAClientSecret</key>
<string>add-your-client-secret-here</string>
<key>DMFAOrgURL</key>
<string>https://add-your-org-URL-with-prefix-here</string>
<key>LoginPeriodWithOfflineFactor</key>
<real>24</real>
<key>LoginPeriodWithoutEnrolledFactor</key>
<real>48</real>
<key>AdminEmail</key>
<string>admin@yourorg.com</string>
<key>AdminPhone</key>
<string>111-222-3333</string>
<key>MFARequiredList</key>
    <array>
    <string>*</string>
    </array>
<key>AccountLinkingMFAFactor</key>
<string>OV_Push</string>    
</dict>
</plist>
Value name Description Value type Default value
AccountLinkingMFAFactor The verification method that you want used when linking an Okta account to the local macOS account. Available options are OV_Push (Okta Verify push notification) and OV_TOTP (Okta Verify Time-based one-time password). String OV_Push
AdminEmail Enter an email address for end users to get support. String Empty
AdminPhone Add a phone number for end users to get support. String Empty
AllowedFactors A list of factors that users can authenticate with. The allowed factors appear in the order that they're listed in your configurations. If no factors are specified, all factors are allowed. Ensure that the factors listed are spelled correctly. Accepted values for AllowedFactors are:

  • OV_Push

  • OV_TOTP

  • Offline_TOTP

  • FIDO2_USB_key

 String array *
DeviceRecoveryPINDuration How long the device recovery PINs are valid after activation. Value is in minutes, with a maximum of five days (7200). See Desktop MFA recovery . Real 60 minutes
DeviceRecoveryValidityInDays Indicates the duration of the device recovery window for Desktop MFA. To successfully authenticate with the recovery PIN, the user must sign in to the device with Desktop MFA while online at least one time during the configured period.

Example for 120-day recovery window: If a user hasn't been online and hasn't signed in with Desktop MFA for over 120 days, they can't use the recovery PIN, even if the PIN is still valid. The user is locked out, and you can't generate a recovery PIN. When the device comes back online, you can generate a recovery PIN and the user can sign in with it.

 Real 90 days minimum
LoginPeriodWithoutEnrolledFactor Sets a grace period, in hours, that a user can sign in with only a password and without enrolling any factors. Once this grace period has passed, the user must link their account and enroll an offline authentication factor to access the computer. Real 48 hours
LoginPeriodWithOfflineFactor If this is set to 0, a user can't log in with offline factors. If LoginPeriodWithoutEnrolledFactor is greater than 0, users are required to sign in with an online factor every X hours. Real 168 hours
MFANotRequiredList Users listed in MFANotRequiredList aren't Desktop MFA enforced. This list takes priority over MFARequiredList. Accounts listed here are case-sensitive. String array Empty
MFARequiredList Some users who have Desktop MFA installed may not be required to use MFA. For example, if a local user "john-smith" is named in MFARequiredList, they must use MFA. If a user isn't on this list and Desktop MFA is installed, the user is only prompted for a password. If a user is on this list and Desktop MFA is installed, the user is prompted to use MFA. Accounts listed here are case-sensitive. String array * MFA applies to all users
OfflineLoginAllowed

When this is set to true, offline factors are shown to the user. This allows the user to enroll an offline authentication factor.

When this is set to false, offline factors are never shown and enforcement of offline factors doesn't happen.

If this policy is changed to true and the LoginPeriodWithoutEnrolledFactor is expired, users are forced to enroll an offline factor.

Boolean, but not string. Example:
<key>OfflineLoginAllowed</key><true/>

True

Enforce number challenge for Desktop MFA

When Desktop MFA users sign in to their computers, they receive a number challenge with any push notification. This provides enhanced security for your org by ensuring that users can only verify their identity when their mobile device and computer are both present.

The Enforce number challenge for Desktop MFA option is found in SecurityGeneralOkta Device Access. This option applies only to users who have Desktop MFA. They receive a number challenge in push notifications when they sign in to their computers.

The Push notification: number challenge option for Okta Verify is found in SettingsAuthenticatorsOkta Verify. This option applies to all org users who authenticate with Okta Verify Push to access their apps. See Configure Okta Verify options.

To disable the number challenge for Desktop MFA, follow these steps:

  1. In the Admin Console, go to SecurityGeneral.
  2. Locate the Okta Device Access section.
  3. Click Edit.
  4. Use the dropdown menu next to Enforce number matching challenge for Desktop MFA to select Disabled.
  5. Click Save.

Next steps

Configure Desktop MFA for macOS to use FIDO2 keys

Desktop MFA recovery

Support your Desktop MFA users