Support your Desktop MFA users
After Desktop MFA is configured and deployed, Okta prompts users to enroll one or more offline authentication factors. These factors allow secure access to the computer's apps and data, even if the computer or the user is offline.
For increased security, Desktop MFA times out after five minutes of inactivity during the enrollment process. This timeout isn't configurable. The device's display is locked, and the user must restart the registration process.
To prepare users for the changes to their sign-in flow, Okta provides a series of templates to communicate Desktop MFA plans. Download the templates from the Launch Kit for Okta Admins, and then copy the appropriate wording to help explain the new authentication process to users.
Establish a bug reporting channel
Ask users to report issues or bugs in Okta Verify from their mobile device. The Menu bar of their Okta Verify mobile app contains a Send Feedback link.
Users should tap Report a bug and fill out the form. System Logs are automatically attached, and the report is sent to Okta.
Users should then contact someone within your organization for assistance signing in to the computer.
Desktop MFA Recovery
Request a device recovery PIN
If users don't have access to their Okta Verify-enrolled MFA device and can't sign in to their computer using another authenticator, they should contact your IT administrator. The administrator can provide a temporary device recovery PIN, which grants the user computer access for a limited time.
-
Contact the IT administrator. The user should record the computer's name, model, and serial number. This information is required to verify the user's identity and computer. The computer name is available on the macOS sign-in page when they click Contact Admin.
-
After the IT administrator has authenticated the user's identity and device, they can provide a recovery PIN that is valid for two minutes. If the two-minute period passes without the user successfully gaining access to their computer, they must request a new recovery PIN from the IT administrator.
-
The user enters the PIN provided and confirms that they can access the computer. The PIN allows them to sign in to the computer for as long as the PIN is valid. The IT administrator should tell them when the PIN expires. After the PIN expires, the user needs a new device recovery PIN if they haven't located their Okta Verify-enrolled MFA device or enrolled another authenticator.
-
The user should recover the Okta Verify-enrolled MFA device as soon as possible or obtain a new MFA device to enroll in Okta Verify.
System Logs
System Logs are found at /var/log/com.okta.deviceaccess/OktaDeviceAccess.log.
Alternatively, run the following command from an account with root or sudo access: sudo log collect --start "2023-09-18 12:00:00" --output /tmp && tar cvf system_logs.logarchive.tar /tmp/system_logs.logarchive.
The output is stored at /tmp/system_logs.logarchive.tar.
Resolve sign-in issues
Ensure that you meet the Before you begin before you attempt to resolve Desktop MFA issues.
Reset Desktop MFA for all users
Copy and run the following commands from a terminal session to reset Desktop MFA for all users on the computer.
sudo sqlite3 /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/OktaDMFA "delete from enrollment"
sudo sqlite3 /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/OktaDMFA "delete from factors"
sudo sqlite3 /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/OktaDMFA "delete from loginhistory"
Delete an offline factor
You can remove an offline authentication factor for a user with the command sudo sqlite3 /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/OktaDMFA "delete from factors".
Push the command to the user's macOS computer through your MDM to delete the offline factor.
Desktop MFA prompts the user to re-enroll an offline authentication method the next time they sign in to macOS. If the LoginPeriodWithoutEnrolledFactor policy has expired, the user can't skip the re-enrollment process.
Turn off the authentication plugin
If the machine is inaccessible and the end user has access to an admin account, they can sign in to the system using recovery mode. When in recovery mode as an administrator, you don't need to use the sudo command.
-
To unlock the disk, click
, and then click the hard disk. -
Select Unlock, and then enter the admin password.
-
Click Share Disk, and then select Quit Share Disk.
-
Open a terminal session and run the following command: rm -rf /Library/Security/SecurityAgentPlugins/OktaDAAuthPlugin.bundle/.
This command removes the authorization plugin from the machine, and the user should be able to sign in to the machine.
Remove Desktop MFA from a device
Run the following commands to fully remove Desktop MFA from a macOS device:
-
Remove the symlink to the auth plugin for Okta Verify: sudo rm -rf /Library/Security/SecurityAgentPlugins/OktaDAAuthPlugin.bundle
-
Stop the service daemon: sudo launchctl unload /Library/LaunchDaemons/com.okta.deviceaccess.servicedaemon.plist
-
Remove the symlink to the service daemon's plist file for Okta Verify: sudo rm -f /Library/LaunchDaemons/com.okta.deviceaccess.servicedaemon.plist
-
Remove the symlink to the service daemon executable for Okta Verify: sudo rm -f /usr/local/bin/OktaDAServiceDaemon
-
Remove the Desktop MFA directory: sudo rm -rf /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/
-
Remove Okta Verify for macOS, which also removes the auth plugin, service daemon, and plist files: sudo rm -rf "/Applications/Okta Verify.app"