Support your macOS Desktop MFA users

After Desktop MFA is configured and deployed, Okta prompts users to enroll one or more offline authentication factors. These factors allow secure access to the computer's apps and data, even if the computer or the user is offline.

For increased security, Desktop MFA times out after five minutes of inactivity during the enrollment process. This timeout isn't configurable. The device's display is locked, and the user must restart the registration process.

To prepare users for the changes to their sign-in flow, Okta provides a series of templates to communicate Desktop MFA plans. Download the templates from the Launch Kit for Okta Admins, and then copy the appropriate wording to help explain the new authentication process to users.

Establish a bug reporting channel

Ask users to report issues or bugs in Okta Verify from their mobile device. The Menu bar of their Okta Verify mobile app contains a Send Feedback link. Users should tap Report a bug and fill out the form. System Logs are automatically attached, and the report is sent to Okta. Users should then contact someone within your organization for assistance signing in to the computer.

System Logs

System Logs are found at /var/log/com.okta.deviceaccess/OktaDeviceAccess.log. Alternatively, run the following command from an account with root or sudo access: sudo log collect --start "2023-09-18 12:00:00" --output /tmp && tar cvf system_logs.logarchive.tar /tmp/system_logs.logarchive.

The output is stored at /tmp/system_logs.logarchive.tar.

Resolve sign-in issues

Ensure that you meet the Prerequisites before you attempt to resolve Desktop MFA issues.

Reset Desktop MFA for all users

Copy and run the following commands from terminal to reset Desktop MFA for all users.

sudo sqlite3 /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/OktaDMFA "delete from enrollment"
sudo sqlite3 /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/OktaDMFA "delete from factors"
sudo sqlite3 /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/OktaDMFA "delete from loginhistory"

Delete an offline factor

If you need to remove an offline authentication factor for a user, use the command sudo sqlite3 /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/OktaDMFA "delete from factors". Push the command to the user's macOS computer through your MDM to delete an offline factor.

Turn off the Authentication Plugin

If the machine is inaccessible and the end user has access to an admin account, they can sign in to the system using recovery mode. If you're in recovery mode as an administrator, you don't need to sudo.

  1. Unlock the disk: click Utilities Share Disk, and then click the hard disk.

  2. Select Unlock, and then enter the admin password.

  3. Click Share Disk, and then select Quit Share Disk.

  4. Open terminal and run the following command: rm -rf /Library/Security/SecurityAgentPlugins/OktaDAAuthPlugin.bundle/.

This command removes the Authorization Plugin from the machine, and the user should be able to sign in to the machine.

Remove Desktop MFA from a device

Run the following commands to fully remove Desktop MFA from a macOS device:

  • Remove the symlink to the Auth Plugin in macOS Okta Verify: sudo rm -rf /Library/Security/SecurityAgentPlugins/OktaDAAuthPlugin.bundle

  • Stop the Service Daemon: sudo launchctl unload /Library/LaunchDaemons/com.okta.deviceaccess.servicedaemon.plist

  • Remove the symlink to the Service Daemon's plist in macOS Okta Verify: sudo rm -f /Library/LaunchDaemons/com.okta.deviceaccess.servicedaemon.plist

  • Remove the symlink to the Service Daemon executable in macOS Okta Verify: sudo rm -f /usr/local/bin/OktaDAServiceDaemon

  • Remove the Desktop MFA directory: sudo rm -rf /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/

  • Remove macOS Okta Verify, which removes the Auth Plugin, Service Daemon, and plists: sudo rm -rf "/Applications/Okta"

Related topics

Okta Device Access Support Hub