Troubleshoot Desktop MFA for macOS

Ensure that you meet all of the Prerequisites before you attempt to troubleshoot Desktop MFA.

Reset Desktop MFA for all users

Copy and run the following commands from terminal to reset Desktop MFA for all users.

sudo sqlite3 /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/OktaDMFA "delete from enrollment"
sudo sqlite3 /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/OktaDMFA "delete from factors"
sudo sqlite3 /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/OktaDMFA "delete from loginhistory"

Delete an offline factor

If you need to remove an offline authentication factor for a user, use the command sudo sqlite3 /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/OktaDMFA "delete from factors". Push the command to the user's macOS computer through your MDM to delete an offline factor.

Turn off the Authentication Plugin

If the machine is inaccessible and the end user has access to an admin account, they can log into the system using recovery mode. If you are in recovery mode as an administrator, you don't need to sudo.

  1. Unlock the disk: click Utilities Share Disk, and then click the hard disk.

  2. Select Unlock, and then enter the admin password.

  3. Click Share Disk, and then select Quit Share Disk.

  4. Open terminal and run the following command: rm -rf /Library/Security/SecurityAgentPlugins/OktaDAAuthPlugin.bundle/.

This command removes the Authorization Plugin from the machine, and the user should be able to sign in to the machine.

Remove Desktop MFA from a device

Run the following commands to fully remove Desktop MFA from a macOS device:

  • Remove the symlink to the Auth Plugin in macOS Okta Verify: sudo rm -rf /Library/Security/SecurityAgentPlugins/OktaDAAuthPlugin.bundle

  • Stop the Service Daemon: sudo launchctl unload /Library/LaunchDaemons/com.okta.deviceaccess.servicedaemon.plist

  • Remove the synlink to the Service Daemon's plist in macOS Okta Verify: sudo rm -f /Library/LaunchDaemons/com.okta.deviceaccess.servicedaemon.plist

  • Remove the symlink to the Service Daemon executable in macOS Okta Verify: sudo rm -f /usr/local/bin/OktaDAServiceDaemon

  • Remove the Desktop MFA directory: sudo rm -rf /Library/Application\ Support/com.okta.deviceaccess.servicedaemon/

  • Remove macOS Okta Verify, which removes the Auth Plugin, Service Daemon, and plists: sudo rm -rf "/Applications/Okta"

System Logs

Logs are found at /var/log/com.okta.deviceaccess/OktaDeviceAccess.log. Alternatively, run the following command from an account with root or sudo access: sudo log collect --start "2023-09-18 12:00:00" --output /tmp && tar cvf system_logs.logarchive.tar /tmp/system_logs.logarchive.

The output is stored at /tmp/system_logs.logarchive.tar.

Known issues

  • Users may see "Unusual sign-in attempt to Desktop MFA" when they use Okta Verify push. To remediate this issue, have the user sign in to from the desktop computer.

  • If the username associated with a user changes, Okta Verify considers it a new user and the existing offline factors don't work. Have the user enroll their offline methods again to gain offline access using Desktop MFA.