Desktop Password Sync for macOS

The Desktop Password Sync feature for macOS uses Apple's Platform Single Sign-on (Platform SSO) feature to reduce the number of passwords that users need to remember.

When you configure and deploy Desktop Password Sync, users are prompted to register the device and link their local account with Okta. After registration is complete, the local account password syncs with the Okta password, and users can use their Okta password to sign in to macOS. Desktop Password Sync replaces a user's local macOS password with the user's Okta password.

Set up the Platform Single Sign-on app in the Admin Console, and then configure the device management profiles in your mobile device management (MDM) solution. You can push the profiles to specific users or groups for immediate registration.

Depending on your configuration, the registration flow for Desktop Password Sync enrolls users in Okta FastPass and may enable Touch ID. If Okta FastPass requires biometrics based on your admin and org configurations, users must have Touch ID set up before starting the Desktop Password Sync enrollment flow.

Okta supports Platform SSO for macOS computers using macOS 13 Ventura and later. Support for Platform SSO 2.0 is available for macOS computers using macOS 14 Sonoma and later. Platform SSO 2.0 allows users to use Desktop Password Sync directly from the macOS login window.

If your org is using Platform SSO 2.0, users can only register one Okta account per device. For example, if a user is enrolled in Desktop Password Sync as user@company.com and syncs using the local account on the device, then user@company.com can't enroll a second local account with the same Okta user until the device is restored to the factory settings. See Support your macOS users.

Tasks

Follow these steps in sequence to avoid configuration issues:

• Create and configure the Platform Single Sign-on app

• Device Access SCEP certificates

• Configure device management profiles

• Configure Desktop Password Sync for macOS 14

• Configure Desktop Password Sync for macOS 15

• Support your macOS users

Prerequisites

Ensure that you meet these requirements:

• Your Okta Identity Engine org is available.
• The Okta Verify authenticator is set up in your org.
• Your macOS computers are running a minimum of macOS 13 Ventura.

  • If your computers are running macOS 14 Sonoma or later, use the Platform SSO 2.0 protocol.

  • To use Platform SSO 2.0, Device Access SCEP certificates before configuring the app integration.

• Enroll devices using mobile device management (MDM) software that supports deployment of payloads.
• Users must have a password configured. This is different from a passwordless sign-in flow. During a passwordless sign-in flow, there's a password in the background but it remains unused during authentication. True passwordless users have no password set.
• The Platform Single Sign-on app is available for your org. If you can't locate the app in the app catalog, contact your account representative.
• Optional. If your org requires biometrics for user authentication, then users must have Touch ID set up before starting the enrollment flow.
• Disable macOS password expiration with your MDM before deploying. If your org requires password rotation, add password expiration to the Okta accounts that require it.

Create and configure the Platform Single Sign-on app

1. Sign in to your Okta org as a super admin.

2. In the Admin Console, go to ApplicationsApplicationsCatalog.

3. Search for Platform Single Sign-on and select the app. This is the new name for Desktop Password Sync within the Admin Console.

4. Click Add integration. If you get an error message saying This feature isn't enabled, contact your account representative.

5. Open Platform Single Sign-on from your Applications list.

   • On the General tab, you can edit the app label or use the default label.

   • On the Sign on tab, make note of the Client ID. You need this when creating the managed app configuration in your MDM.

   • To use Desktop Password Sync, users must have the Platform Single Sign-on app assigned. Assign the app to individual users or groups on the Assignments tab.

6. Click Save.

Download Okta Verify for macOS

Desktop Password Sync is part of Okta Device Access, which uses Okta Verify for device registration and user authentication.

In the Admin Console, go to SettingsDownloads and download Okta Verify for macOS. Don't download the Okta Verify package from the Apple App Store.

If the Okta Device Access product is enabled for your org, you can configure and deploy Desktop Password Sync. Contact your account representative for more information.

Next step

Configure device management profiles