Support your macOS users

When users register their macOS device and link the local computer account with an Okta account, the device password and the Okta password sync. The device password is replaced with the Okta password. The synced password can access anything on macOS that previously required the local account password. If a user changes their Okta password, they need to sync their password by locking the computer and then unlocking it with the updated password. This allows the service to sync the device and the Identity Provider password.

  • When you upgrade Desktop Password Sync to use Platform Single Sign-on (Platform SSO) 2.0, syncing is supported at the macOS login window.

  • The macOS 15 Sequoia release also introduced password syncing at the FileVault window for physical Apple silicon Mac computers.

To prepare users for the changes to their sign-in flow, Okta provides a series of templates to communicate Desktop Password Sync plans. Download the templates from the Launch Kit for Okta Admins, and then use the appropriate wording to explain the new authentication process to users.

Account lockouts

When using the Desktop Password Sync feature, a user must enter their Identity Provider (IdP) password at the macOS login window to ensure that their passwords are synchronized.

However, if the user's IdP password is a random string of characters and symbols, it can be difficult for the user to memorize. The screen where the user enters their IdP password only shows asterisks as they type the password. Without the option to view the entered credentials, it's challenging for users to validate their input.

If you enforce a policy that limits the number of failed password attempts, users that exceed the threshold while attempting to sync their password can lock their Okta account. This requires an admin to manually unlock the account.

To address this issue, users should set their Okta password to something memorable before they register for Desktop Password Sync. After registration, their macOS password is updated to match the Okta password. The user needs to enter this synchronized password at every macOS authorization point.

Establish a bug reporting channel

Ask users to report issues or bugs in Okta Verify from their mobile device. The Menu bar of their Okta Verify mobile app contains a Send Feedback link. Users should tap Report a bug and fill out the form. System Logs are automatically attached, and the report is sent to Okta. Users should then contact someone within your organization for assistance signing in to the computer.

In macOS 15 Sequoia, Apple lists the current state of the synchronization process (for example, registering device, registering user, requesting keys) in the bottom-left corner of the active window during user registration.

Password synchronization

A user's password is synchronized at specific points in the workflow. Consult the table to determine the expected behavior from Desktop Password Sync.

Behavior

Result

The user completes Desktop Password Sync registration.

If the local account password is different from the user's Okta password, the Okta password replaces the local account password.

If the local account password is the same as the user's Okta password, the local account password remains the same.

The user changes the local account or Identity Provider password.

Password syncs if the user enters their Identity Provider password to unlock the device.

The user enters a changed Identity Provider password at the macOS login window.

macOS 13 Ventura: Sign in fails. Only Platform SSO 2.0 supports password synchronization at the macOS login window. Users must enter their old password to at the macOS login window, and then they're prompted to resync the device to their new password.

macOS 14 Sonoma and later: Password syncs if users are migrated to Platform SSO 2.0.

The user changes their password locally using the macOS Password Expiration prompt.

Sign in fails. This password isn't synced with Okta, and the password attempts to revert to a previous password. This isn't possible due to the MDM password policies in place.

In your MDM, disable local password expiration for the affected user's macOS accounts. The macOS password expiration policy is redundant with the Okta password policy, and isn't compatible with Desktop Password Sync.

See Configure the password authenticator.

The user enters an out-of-sync password to unlock or sign in to the computer.

The computer unlocks and allows the user to sign in, and the user is immediately prompted to enter their Okta password to complete the password sync.

macOS 15 Sequoia: The user changes their password locally, and then tries to enter their Okta password in the FileVault window.

The user is required to enter their old device password for the login keychain.

This flow is similar to the password sync during a sign-in flow, where macOS shows the user a prompt that asks for the sign-in keychain if their password is changed locally.

Advise users to change their Okta password and perform a password sync instead of changing passwords locally.

macOS 15 Sequoia: If the user's password is synced at the FileVault or login window, the user is prompted to enter their old Mac password to unlock the keychain.

If the user has forgotten their old Mac password, the previous keychain and all protected data become inaccessible. You can't reverse this action. Advise your users to read the warnings carefully and contact an admin for support.

If the user's keychain has been deleted, the user loses all passwords, keychain contents, and Okta FastPass enrollments.

Related topics

Troubleshooting Desktop Password Sync for macOS

Okta Device Access support hub