Support your macOS users
When users register their macOS device and link the local computer account with an Okta account, the device password and the Okta password sync. The device password is replaced with the Okta password. The synced password can access anything on macOS that previously required the local account password. If a user changes their Okta password, they need to sync their password by locking the computer and then unlocking it with the updated password. This allows the service to sync the device and the Identity Provider password.
When you upgrade Desktop Password Sync to use Platform Single Sign-on (Platform SSO) 2.0, syncing is supported at the macOS login window. macOS 15 Sequoia also introduced password syncing at the FileVault window for physical Apple silicon Mac computers.
To prepare users for the changes to their sign-in flow, Okta provides a series of templates to communicate Desktop Password Sync plans. Download the templates from the Launch Kit for Okta Admins, and then use the appropriate wording to explain the new authentication process to users.
Establish a bug reporting channel
Ask users to report issues or bugs in Okta Verify from their mobile device. The Menu bar of their Okta Verify mobile app contains a Send Feedback link. Users should tap Report a bug and fill out the form. System Logs are automatically attached, and the report is sent to Okta. Users should then contact someone within your organization for assistance signing in to the computer.
In macOS 15 Sequoia, Apple lists the current state of the synchronization process (for example, registering device, registering user, requesting keys) in the bottom-left corner of the active window during user registration.
Password synchronization
A user's password is synchronized at specific points in the workflow. Consult the table to determine the expected behavior from Desktop Password Sync.
|
Behavior
|
Result
|
|
The user completes Desktop Password Sync registration.
|
If the local account password is different from the user's Okta password, the Okta password replaces the local account password.
If the local account password is the same as the user's Okta password, the local account password remains the same.
|
|
The user changes the local account or Identity Provider password.
|
Password syncs if the user enters their Identity Provider password to unlock the device.
|
|
The user enters a changed Identity Provider password at the macOS login window.
|
macOS 13 Ventura: Sign in fails. Only Platform SSO 2.0 supports password synchronization at the macOS login window. Users must enter their old password to at the macOS login window, and then they're prompted to resync the device to their new password.
macOS 14 Sonoma and later: Password syncs if users are migrated to Platform SSO 2.0.
|
|
The user changes their password locally using the macOS Password Expiration prompt.
|
Sign in fails. This password isn't synced with Okta, and the password attempts to revert to a previous password. This isn't possible due to the MDM password policies in place.
In your MDM, disable local password expiration for the affected user's macOS accounts. The macOS password expiration policy is redundant with the Okta password policy, and isn't compatible with Desktop Password Sync.
See Configure the password authenticator.
|
|
The user enters an out-of-sync password to unlock or sign in to the computer.
|
The computer unlocks and allows the user to sign in, and the user is immediately prompted to enter their Okta password to complete the password sync.
|
|
macOS 15 Sequoia: The user changes their password locally, and then tries to enter their Okta password in the FileVault window.
|
The user is required to enter their old device password for the login keychain.
This flow is similar to the password sync at sign in behavior, where a user is shown a prompt asking for the login keychain if their password is changed locally.
Advise users to change their Okta password and perform a password sync instead of changing passwords locally.
|
|
macOS 15 Sequoia: If the user's password is synced at the FileVault or login window, the user is prompted to enter their old Mac password to unlock the keychain.
If the user has forgotten their old Mac password, the previous keychain and all protected data become inaccessible. You can't reverse this action. Advise your users to read the warnings carefully and contact an admin for support.
|
If the user's keychain has been deleted, the user loses all passwords, keychain contents, and Okta FastPass enrollments.
|
Related topics
Troubleshooting Desktop Password Sync for macOS
Okta Device Access support hub
