Troubleshoot Desktop Password Sync for macOS

When users register their macOS device and link the local computer account with an Okta account, the device password and the Okta password sync. The synced password can access anything that previously required the local account password to access. If a user changes their Okta password, they need to lock the computer and then unlock it with the updated password for the service to sync the device and IdP password.

Incorrect password

If you have an MDM password policy (for example, a minimum password length) and the user's Okta password doesn't satisfy the requirements, the password sync fails. The user sees Apple's visual indicator that the password is incorrect, even if the credentials are entered correctly. To work around this issue, try one of the following methods:

  • Change the MDM password policy to match the Okta password requirements.

  • Change the Okta password requirements to match the MDM password policy. See Configure the Password authenticator.

  • Ask users to sign in to the End-User Dashboard and update their Okta password to meet the MDM policy requirements.

  • Ask users not to reuse old passwords.

Registration reset

If users don’t receive the registration required notification, you can reset the registration for the device to remove and then reassign the payload to the device.

  1. In your MDM, look for the Desktop Password Sync configuration profile you created.

  2. Open the profile and click Edit.

  3. On the Scope tab, remove the target for the device you want to reset.

  4. Save the changes.

  5. Redistribute the profile to all devices.

  6. On the macOS device, confirm that the profile has been removed from Privacy & Security Profiles.

  7. Ensure all SSO extension profiles, including credential extensions, have been removed.

  8. Restart the device.

  9. In your MDM, reassign the profile to the device.

  10. On the macOS device, confirm that the profile was pushed to the device successfully.

  11. Wait for the registration request notification, and then register the device.

Multiple accounts

Multiple accounts per user aren't supported in Desktop Password Sync. If a user attempts to create an additional account, the Identity Provider notification doesn't appear, and the user's password isn't synced. To resolve this issue, delete the deviceSSO directory at ~/Library/Group Containers/

Known issues

  • Customers deploying Desktop Password Sync on non-English macOS computers should deploy Okta Verify version 9.1.0. Previous versions of Okta Verify may fail to complete enrollment on macOS computers using languages other than English.

  • In Okta Verify version 9.0, the Desktop Password Sync registration fails if your org has a custom domain. The issue has been resolved in Okta Verify version 9.1. If you encounter registration errors, ensure you're using Okta Verify version 9.1.

  • Localization isn't available for Apple-controlled dialogs.

  • If you have Okta Verify and Desktop Password Sync running and try to delete the app, an error appears saying the app can't be deleted due to extensions running. To work around this issue, upgrade macOS to version 13.5, or try the following steps:

    1. Quit the Okta Verify app.

    2. Quit Okta Verify's SSO extension (SSOe):

      1. In terminal, enter the command ps -ax | grep AppSSOAgent.

      2. If there's only one entry in the list of results, then your Okta Verify's SSOe isn't running

      3. If there's more than one entry, copy the pid of the first one.

      4. In a terminal, enter the command kill <pid>.

      5. Run the ps -ax | grep AppSSOAgent command again and ensure you only see one entry.

    3. Delete the Okta Verify app.

Report issues or bugs in Okta Verify

  1. If possible, attempt to reproduce the problem.

  2. Click the Okta Verify app icon in the Menu bar.

  3. Click Report Issue.

  4. Enter a title and a description of the problem. System Logs are automatically attached.