Support your Desktop Password Sync users
When users register their macOS device and link the local computer account with an Okta account, the device password and the Okta password sync. The device password is replaced with the Okta password. The synced password can access anything on macOS that previously required the local account password. If a user changes their Okta password, they need to sync their password by locking the computer and then unlocking it with the updated password for the service to sync the device and the Identity Provider password.
When you upgrade Desktop Password Sync to use Platform Single Sign-On 2.0, syncing is supported at the macOS login window.
To prepare users for the changes to their sign-in flow, Okta provides a series of templates to communicate Desktop Password Sync plans. Download the templates from the Launch Kit for Okta Admins, and then use the appropriate wording to explain the new authentication process to users.
Establish a bug reporting channel
Ask users to report issues or bugs in Okta Verify from their mobile device. The Menu bar of their Okta Verify mobile app contains a Send Feedback link. Users should tap Report a bug and fill out the form. System Logs are automatically attached, and the report is sent to Okta. Users should then contact someone within your organization for assistance signing in to the computer.
Password synchronization
A user's password is synchronized at specific points in the workflow. Consult the table to determine the expected behavior from Desktop Password Sync.
|
Behavior |
Result |
|---|---|
| User completes Desktop Password Sync registration. | If the local account password is different from the user's Okta password, the local account password is replaced by the Okta password. If the local account password is the same as the user's Okta password, the local account password remains the same. |
| User changes local account or Identity Provider password. | Password syncs if the user enters their Identity Provider password to unlock the device, or when the system notification appears, prompting the user to sign in to their Identity Provider account upon token expiration. |
| User enters a changed Identity Provider password at the macOS login window. | macOS Ventura: Sign in fails. Only Platform Single Sign-On 2.0 supports password synchronization at the macOS login window. Users must enter their old password to at the macOS login window, and then they're prompted to resync the device to their new password. macOS Sonoma: Password syncs if users are migrated to Platform Single Sign-On 2.0. |
| User changes their password locally using the macOS Password Expiration prompt. | Sign in fails. This password isn't synced with Okta, and the password attempts to revert to a previous password. This isn't possible due to the MDM password policies in place. In your MDM, disable local password expiration for the affected user's macOS accounts. The macOS password expiration policy is redundant with the Okta password policy, and isn't compatible with Desktop Password Sync. |
| User enters an out-of-sync password to unlock or sign in to the computer. | The computer unlocks and allows the user to sign in, and the user is immediately prompted to enter their Okta password to complete the password sync. |