Troubleshoot Desktop MFA for macOS
Ensure that you meet all of the Prerequisites before you attempt to troubleshoot Desktop MFA.
Reset Desktop MFA for all users
Copy and run the following commands from terminal to reset Desktop MFA for all users.
sudo sqlite3 /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/OktaDMFA "delete from enrollment"
sudo sqlite3 /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/OktaDMFA "delete from factors"
sudo sqlite3 /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/OktaDMFA "delete from loginhistory"
Delete an offline factor
If you need to remove an offline authentication factor for a user, use the command sudo sqlite3 /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/OktaDMFA "delete from factors". Push the command to the user's macOS computer through your MDM to delete an offline factor.
Turn off the Authentication Plugin
If the machine is inaccessible and the end user has access to an admin account, they can log into the system using recovery mode. If you are in recovery mode as an administrator, you don't need to sudo.
Unlock the disk: click, and then click the hard disk.
Select Unlock, and then enter the admin password.
Click Share Disk, and then select Quit Share Disk.
Open terminal and run the following command: rm -rf /Library/Security/SecurityAgentPlugins/OktaDAAuthPlugin.bundle/.
This command removes the Authorization Plugin from the machine, and the user should be able to sign in to the machine.
Remove Desktop MFA from a device
Run the following commands to fully remove Desktop MFA from a macOS device:
Remove the symlink to the Auth Plugin in macOS Okta Verify: sudo rm -rf /Library/Security/SecurityAgentPlugins/OktaDAAuthPlugin.bundle
Stop the Service Daemon: sudo launchctl unload /Library/LaunchDaemons/com.okta.deviceaccess.servicedaemon.plist
Remove the synlink to the Service Daemon's plist in macOS Okta Verify: sudo rm -f /Library/LaunchDaemons/com.okta.deviceaccess.servicedaemon.plist
Remove the symlink to the Service Daemon executable in macOS Okta Verify: sudo rm -f /usr/local/bin/OktaDAServiceDaemon
Remove the Desktop MFA directory: sudo rm -rf /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/
Remove macOS Okta Verify, which removes the Auth Plugin, Service Daemon, and plists: sudo rm -rf "/Applications/Okta Verify.app"
Logs are found at /var/log/com.okta.deviceaccess/OktaDeviceAccess.log. Alternatively, run the following command from an account with root or sudo access: sudo log collect --start "2023-09-18 12:00:00" --output /tmp && tar cvf system_logs.logarchive.tar /tmp/system_logs.logarchive.
The output is stored at /tmp/system_logs.logarchive.tar.
Users may see "Unusual sign-in attempt to Desktop MFA" when they use Okta Verify push. To remediate this issue, have the user sign in to yourorg.okta.com from the desktop computer.
If the username associated with a user changes, Okta Verify considers it a new user and the existing offline factors don't work. Have the user enroll their offline methods again to gain offline access using Desktop MFA.