Configure and deploy Desktop MFA policies for macOS

Set up Desktop MFA for macOS and create managed profiles to enable the MFA workflow on your macOS computers. Use any device management solution that supports deploying macOS installer packages and configuration profiles. These instructions assume the use of Jamf Pro for device management.

When you deploy the Desktop MFA MDM profiles, ensure that they've been successfully pushed to devices before deploying the macOS Okta Verify package. If the MDM profile doesn't exist on the user's device when the package installer runs, Desktop MFA isn't installed.

Tasks

Upload the Okta Verify for macOS package to your MDM

Upload the Okta Verify for macOS package you downloaded from the Okta Admin Console to your MDM. In Jamf Pro, go to Settings Computer management Packages. Click + New to configure the package details.

Configure the Desktop MFA for macOS installation process

  1. In Jamf, click Computers Policies and click + New.

  2. Add a Display Name and select Login for the policy Trigger.

  3. Next, click Packages, and then click Configure. Locate the Okta Verify package that you uploaded in the previous step and click the Add button next to the package.

  4. Configure the Distribution point.

  5. Using the dropdown, select Install as the Action.

  6. Click Save.

Ensure that the MDM profile has been successfully deployed to end user devices before deploying the macOS Okta Verify package.

Add Desktop MFA policies by plist

  1. In Jamf, click Configuration Profiles and then click + New.

  2. Enter a name for the profile.

  3. Click Application & Custom Settings to configure the payload. Click Upload.

  4. Click + Add.

  5. Enter com.okta.deviceaccess.servicedaemon as the Preference Domain.

  6. Add the values for your organization in a plist format. Use the table below the plist example to determine the appropriate parameters for your org.

Copy 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DMFAClientID</key>
<string>add-your-client-ID-here</string>
<key>DMFAClientSecret</key>
<string>add-your-client-secret-here</string>
<key>DMFAOrgURL</key>
<string>https://add-your-org-URL-with-prefix-here</string>
<key>LoginPeriodWithOfflineFactor</key>
<real>24</real>
<key>LoginPeriodWithoutEnrolledFactor</key>
<real>48</real>
<key>AdminEmail</key>
<string>admin@yourorg.com</string>
<key>AdminPhone</key>
<string>111-222-3333</string>
<key>MFARequiredList</key>
    <array>
    <string>*</string>
    </array>
</dict>
</plist>
Value name Description Default value
LoginPeriodWithoutEnrolledFactor Sets a grace period, in hours, that a user can sign in with only a password and without enrolling any factors. Once this grace period has passed, the user must link their account and enroll an offline authentication factor to access the computer. 48 hours
LoginPeriodWithOfflineFactor If this is set to 0, a user can’t log in with offline factors. If LoginPeriodWithoutEnrolledFactor is greater than 0, users are required to sign in with an online factor every X hours. 24 hours
MFANotRequiredList Users listed in MFANotRequiredList won't have Desktop MFA enforced. This list takes priority over MFARequiredList. Accounts listed here are case sensitive. Empty
MFARequiredList Some users who have Desktop MFA installed may not be required to use MFA. For example, if local user “john-smith” is named in MFARequiredList, they must use MFA. If a user isn't on this list and Desktop MFA is installed, the user is only prompted for a password. If a user is on this list and Desktop MFA is installed, the user is prompted to use MFA. Accounts listed here are case sensitive. * MFA applies to all users
AdminEmail Enter an email address for end users to get support. Empty
AdminPhone Add a phone number for end users to get immediate support. Empty

Enforce number challenge for Desktop MFA

Early Access release. See Enable self-service features.

You can enforce number challenge for Desktop MFA users. Enabling this feature makes all push notifications for Desktop MFA a number challenge, regardless of the authentication policy.

For more information, contact your account representative.

  1. In the Admin Console, go to SettingsFeatures.

  2. Locate Enforce number challenge for Desktop MFA, and click the toggle to enable the feature.

This provides enhanced security for your org, ensuring that users are only able to verify their identity when they're physically with both the mobile device and the computer.

Next steps

Configure FIDO2 keys for Desktop MFA for macOS

Support your macOS Desktop MFA users