Platform SSO for macOS

Choose your Platform SSO authentication method

Before you begin configuring your devices, you must make a strategic decision between two different authentication methods: Secure Enclave-backed keys or Desktop Password Sync. This choice defines your security posture and the user experience on macOS devices.

After deciding on your strategy, you can follow the implementation guide for your specific MDM, with instructions on how to set the appropriate authentication method.

The following table summarizes the available features for each authentication method:

Feature	Secure Enclave	Desktop Password Sync
Support on macOS 14 Sonoma and later	●	●
Touch ID support for unlock	●	●
Platform SSO setup requires MFA	●	●
Support for Platform SSO enrollment through Apple Setup Assistant	●	●
Automatically enroll users in Okta FastPass	●	●
Create a Device-Bound SSO session with Okta FastPass plus a user verification claim	●
Create a Device-Bound SSO session with a password claim		●
Local macOS password synced with Okta		●
Self-service device account creation using Okta credentials		●

Secure Enclave-backed Key

When Platform SSO is configured to use a Secure Enclave-backed key, Okta delivers passwordless authentication after a user signs in to their macOS device. Users authenticate seamlessly using biometrics or device-bound credentials, eliminating the need for password synchronization while maintaining enterprise-grade security.

Key benefits of Secure Enclave-backed keys

• Passwordless authentication removes passwords from the app sign-in process entirely, reducing your credential exposure and attack surface.

• Hardware-backed security uses Apple's Secure Enclave to store and manage authentication credentials with enterprise-grade protection.

• Biometric-first experience enables Touch ID and other biometric authentication methods for an intuitive, frictionless sign-in flow.

• Simplified credential management eliminates the requirement for password synchronization.

• Streamlined device provisioning supports enrollment through the Apple Setup Assistant during initial device setup.

• Standards compliance helps you to meet evolving regulatory requirements for passwordless, hardware-backed authentication.

User experience with Secure Enclave-backed keys

Secure Enclave-backed keys allow users to authenticate to their device using either Touch ID or a local, device-bound, knowledge factor after the initial authentication.

When a user signs in to their macOS device, this enables Platform SSO to access a hardware-bound cryptographic key stored inside the device's Secure Enclave. PSSO then uses this key to create a Device-Bound SSO session. This session satisfies any subsequent authentication policy evaluation that requires Okta FastPass together with user verification through a device passcode or biometrics.

Desktop Password Sync

This method uses Platform Single Sign-on (Platform SSO) to synchronize the user's local macOS account password to their Okta password. The user has only one password for both their device and their Okta-protected apps.

Key benefits of Desktop Password Sync

• For organizations not yet ready for a fully passwordless experience, Desktop Password Sync eliminates the confusion and help desk tickets caused by out-of-sync local and cloud passwords.

• A familiar and consistent sign-in experience for users.

• Streamlined device provisioning supports enrollment through the Apple Setup Assistant during initial device setup.

• Just-In-Time Local Account Creation allows IT admins to deploy new local accounts.

User experience with Desktop Password Sync

For an existing macOS account, the user signs in to their device with their existing local password. They receive a prompt to register the device and link their local account with Okta. After registration is complete, the local account password syncs with the Okta password, and users can use their Okta password to sign in to macOS. Desktop Password Sync replaces the user's local macOS password with their Okta password.

The registration flow for PSSO also enrolls users in Okta FastPass and may enable Touch ID.

For a new macOS device, when the user powers on the system, they advance through the Apple Setup Assistant. However, instead of the standard macOS Create a Computer Account page, the user is presented with an Okta sign-in window.

The user then authenticates with their Okta email, password, and any required MFA. After a successful authentication, a local macOS account is automatically created and linked to their Okta identity.

PSSO can also create a Device-Bound SSO session when a user signs in to their macOS device with their password. This session satisfies any subsequent authentication policy evaluation that requires user verification through a password.

Just-In-Time Local Account Creation

Just-In-Time (JIT) Local Account Creation is a feature of Okta's Desktop Password Sync. This allows for on-demand creation of new user accounts on a macOS device that has already been deployed.

See Just-In-Time Local Account Creation for macOS.

Before you begin

To configure and deploy PSSO, your environment needs to meet the following requirements:

• You have an Okta Identity Engine org with Okta Device Access enabled.

• You have the necessary admin permissions to configure Okta apps in your org and in your Mobile Device Management solution.

• The Okta Verify authenticator is set up and configured for your org.

• macOS devices are running a supported operating system version on Apple silicon. See Supported platforms for Okta Verify.

• Download the latest version of Okta Verify for macOS through the Okta Admin Console. See Download Okta Verify for macOS.

• Add and configure the Platform SSO app to your Okta org. If you can't locate the app in the app catalog, contact your account representative.

• Configure Device Access certificates.

• Devices are managed using a Mobile Device Management (MDM) solution.

• Apple Automated Device Enrollment (ADE) is required for Setup Assistant on devices running macOS 26 Tahoe and later.

• If your org configuration for Okta FastPass requires biometrics, users with existing macOS accounts must set up Touch ID before starting the PSSO enrollment flow.

Other requirements for Desktop Password Sync

• Disable macOS password expiration with your MDM before deploying. If your org requires password rotation, add password expiration to the Okta accounts that require it.

• Users must have a password configured.

• Users can only register one Okta account per device. For example, consider a scenario where a user is enrolled in Desktop Password Sync as jane@example.com and syncs using the local account on the device. That means jane@example.com user can't enroll a second local account with the same Okta credentials unless the device is restored to the factory settings.

Mobile Device Management configuration guides

To set up either Desktop Password Sync or a Secure Enclave-backed Key for your macOS devices, you can use any MDM solution that supports extensible single sign-on (SSO) payload deployment with Platform SSO authentication.

The MDM creates managed profiles and deploys payloads to enable PSSO on your devices.

PSSO Method	Configuration guide
Secure Enclave	Generic MDM
Desktop Password Sync	Jamf Pro Microsoft Intune Workspace ONE Generic MDM

Related topics

Device Access certificates

PSSO for macOS: Version compatibility and features

Support your macOS users