Support your macOS users
When users register their macOS device and link the local computer account with an Okta account, the device password and the Okta password sync. The device password is replaced with the Okta password. The synced password can access anything on macOS that previously required the local account password. If a user changes their Okta password, they need to sync their password by locking the computer and then unlocking it with the updated password. This allows the service to sync the device and the Identity Provider password.
-
When you upgrade Desktop Password Sync to use Platform Single Sign-on (Platform SSO) 2.0, syncing is supported at the macOS login window.
-
The macOS 15 Sequoia release also introduced password syncing at the FileVault window for physical Apple silicon Mac computers.
To prepare users for the changes to their sign-in flow, Okta provides a series of templates to communicate Desktop Password Sync plans. Download the templates from the Launch Kit for Okta Admins, and then use the appropriate wording to explain the new authentication process to users.
Account lockouts
When using the Desktop Password Sync feature, a user must enter their Identity Provider (IdP) password at the macOS login window to ensure that their passwords are synchronized.
However, if the user's IdP password is a random string of characters and symbols, it can be difficult for the user to memorize. The screen where the user enters their IdP password only shows asterisks as they type the password. Without the option to view the entered credentials, it's challenging for users to validate their input.
If you enforce a policy that limits the number of failed password attempts, users that exceed the threshold while attempting to sync their password can lock their Okta account. This requires an admin to manually unlock the account.
To address this issue, users should set their Okta password to something memorable before they register for Desktop Password Sync. After registration, their macOS password is updated to match the Okta password. The user needs to enter this synchronized password at every macOS authorization point.
Establish a bug reporting channel
Ask users to report issues or bugs in Okta Verify from their mobile device. The Menu bar of their Okta Verify mobile app contains a Send Feedback link. Users should tap Report a bug and fill out the form. System Logs are automatically attached, and the report is sent to Okta. Users should then contact someone within your organization for assistance signing in to the computer.
In macOS 15 Sequoia, Apple lists the current state of the synchronization process (for example, registering device, registering user, requesting keys) in the bottom-left corner of the active window during user registration.
Password synchronization
A user's password is synchronized at specific points in the workflow. Consult the table to determine the expected behavior from Desktop Password Sync.