Get started with Desktop Password Sync
Okta Desktop Password Sync for macOS uses Apple's Platform Single Sign-on (Platform SSO) feature to reduce the number of passwords that users need to remember. When you configure and deploy Desktop Password Sync, users are prompted to register the device and link their local account with Okta. After registration is complete, the local account password syncs with the Okta password, and users can use their Okta password to sign in to macOS. Desktop Password Sync replaces a user's local macOS password with the user's Okta password.
Set up the Desktop Password Sync app integration in the Admin Console, and then configure the device management profiles in your mobile device management (MDM) solution. You can push the profiles to specific users or groups for immediate registration.
Depending on your configuration, the registration flow for Desktop Password Sync enrolls users in Okta FastPass and may enable Touch ID. If Okta FastPass requires biometrics based on your admin and org configurations, users must have Touch ID set up before starting the Desktop Password Sync enrollment flow.
Okta supports Platform SSO for macOS computers using Ventura (13.0) and later. Support for Platform SSO 2.0 is available for macOS computers using Sonoma (14.0) and later. Platform SSO 2.0 allows users to use Desktop Password Sync directly from the macOS login window.
If your org is using Platform SSO 2.0, users can only register one Okta account per device. For example, if a user is enrolled in Desktop Password Sync as user@company.com and has synced with the local account on the device, user@company.com isn't able to enroll a second local account with the same Okta user unless the device has been restored to its factory settings. See Support your users.
Tasks
- Create and configure the Platform Single Sign-on app integration
- Device Access SCEP certificates
- Configure device management profiles
- Update Desktop Password Sync for macOS 14
- Update Desktop Password Sync for macOS 15
- Support your users
Prerequisites
Ensure that you meet these requirements:
- Your Okta Identity Engine org is available.
- The Okta Verify authenticator is set up in your org.
- Your macOS computers are running a minimum of macOS Ventura (13.0 and later. Best practice is 13.5).
- If your computers are running macOS Sonoma (14.0) or later, use the Platform SSO 2.0 protocol.
- To use Platform SSO 2.0, Device Access SCEP certificates before configuring the app integration.
- Devices must be enrolled in mobile device management (MDM) software that supports deployment of payloads.
- Users must have a password configured. Note that this is different from a passwordless sign-in flow. During a passwordless sign-in flow, there's a password in the background but it remains unused during authentication. True passwordless users have no password set.
- The Platform Single Sign-on app is available for your org. If you can't locate the app in the app catalog, contact your account representative.
- Optional: If your org requires biometrics for user authentication, then users must have Touch ID set up before starting the enrollment flow.
- Disable macOS password expiration with your MDM before deploying.
- If your org requires password rotation, add password expiration to the Okta accounts that require it.
Create and configure the Platform Single Sign-on app integration
-
Sign in to your Okta tenant as a super admin.
-
In the Admin Console, go to .
-
Search for Platform Single Sign-on and select the app. This is the new name for Desktop Password Sync within the Okta Admin Console.
-
Click Add integration. If you get an error message saying This feature isn't enabled, contact your account representative.
-
Open Desktop Password Sync from your Applications list to configure it:
-
On the General tab, you can edit the application label or use the default label.
-
On the Sign on tab, make note of the Client ID. You need this when creating the managed app configuration in your MDM.
-
Assign the app to individual users or groups on the Assignments tab. Users must be assigned the app to use Desktop Password Sync.
-
-
Click Save.
Download Okta Verify for macOS
Desktop Password Sync is part of Okta Device Access, which uses Okta Verify for device registration and user authentication. In the Admin Console, go and download Okta Verify for macOS. You must download the Okta Verify package from the Admin Console and not from an App Store. If the Okta Device Access product has been enabled for your org, Desktop Password Sync can be configured and deployed. Contact your account representative for more information.