Configure Desktop MFA for macOS

Desktop MFA for macOS adds an extra layer of security to the macOS sign-in process by asking users for additional authentication before allowing computer access. When Desktop MFA for macOS is configured and deployed, users must sign in to their Okta account, and then set up an offline authentication factor within the configurable time limit. If this time limit expires, users are forced to sign in to their Okta account and set up the offline factor.

Configure Desktop MFA in the Okta Admin Console, and then deploy it through your mobile device management (MDM) solution. This pushes a single, packaged installer to desktop computers. The user experience depends on which options you enable, and how the Okta org's authentication policies are configured.

Prerequisites

Ensure that you meet these requirements:

  • Your Okta Identity Engine org is available.

  • Your macOS computers are running a minimum of macOS Monterey (12.0).

  • The Okta Verify authenticator is set up in your org.

  • Okta Verify push notifications are enabled.

  • Users have Okta Verify installed on a mobile device.

  • Devices must be enrolled in mobile device management software that supports the deployment of installer packages and configuration profiles.

  • The Desktop MFA application is available for your organization. If you can't locate the Desktop MFA app in the Okta app catalog, contact your account representative.

Tasks

Create and configure the Desktop MFA app integration

  1. Sign in to your Okta tenant as a super admin.

  2. In the Admin Console, go to SettingsAccountEmbedded widget sign-in support and ensure that the Interaction Code checkbox is selected.

  3. Enable Direct Authentication in the Admin Console. Go to Settings Features, and then enable Direct Authentication.

  4. In the Admin Console, go to ApplicationsApplications.

  5. Click Browse App Catalog and search for Desktop MFA.

  6. Click Add integration.

    If you get an error message saying This feature isn’t enabled, contact your account representative.

  7. On the General Settings page, edit the application label or click Done to accept the default value. The Desktop MFA integration app is created.

  8. Click the app to configure it:

    1. On the Sign on tab, go to the Settings section and click Edit. Click the Application username format dropdown menu and select Okta username prefix.

    2. On the Assignments tab, assign the app to relevant users or groups.

    3. On the General tab, go to the Client Credentials section to find the client ID and secret. The identifier and secret are generated when you create the app integration. Make note of these values. You need them when you configure Desktop MFA for deployment.

  9. Click Save.

When the Desktop MFA app is integrated, a Desktop MFA authentication policy is added to your org. This policy verifies that users who try to sign in with Desktop MFA meet specific conditions, and enforces factor requirements based on those conditions. The Desktop MFA authentication policy shouldn't be modified for any reason. If necessary, you can create a separate authentication policy to meet the needs of your org. See Authentication policies.

Download Okta Verify for macOS

Desktop MFA is part of Okta Device Access, which uses Okta Verify for device registration and user authentication. In the Admin Console, go to SettingsDownloads and download the latest Okta Verify for macOS package. You must download the Okta Verify package from the Admin Console and not from an App Store. If the Okta Device Access product has been enabled for your org, Desktop MFA can be configured and deployed. Contact your account representative for more information.

Next steps

Configure and deploy Desktop MFA policies for macOS