Update Desktop Password Sync for macOS 15
Desktop Password Sync now supports macOS Sequoia (15), which extends Platform Single Sign-on (Platform SSO) authentication to FileVault in addition to the Unlock and Login windows that were previously supported.
New authentication policies are now available to enforce stronger authentication requirements. With these policies users can authenticate, sync their local password with their Okta password, and securely sign in to FileVault. The Desktop Password Sync experience now includes the FileVault interface.
If your org includes macOS computers running macOS Sonoma (14.0) or later, you can migrate your Desktop Password Sync solution for macOS Sequoia. Your users will be asked to re-enroll in Desktop Password Sync after migration.
FileVault Platform SSO is supported only on physical Mac computers with Apple silicon. See Mac computers with Apple silicon.
Prerequisites
To prepare for Desktop Password Sync for macOS Sequoia, ensure that you meet these requirements:
- Desktop Password Sync is configured correctly. See Create and configure the Desktop Password Sync app integration.
- The latest version of Okta Verify for macOS is installed in your org. You can get the latest artifact from the Admin Console. Go to , and download Okta Verify for macOS. To check the Okta Verify version, users right-click the Okta Verify icon in their computer's system tray, and then click About.
- Device Access SCEP certificates are configured for Platform SSO. See Device Access SCEP certificates.
- Your device management profiles are configured for Platform SSO. Check that PlatformSSO.ProtocolVersion is set to 2.0 in the device management profile for your com.okta.mobile.auth-service-extension domain, and that Use Shared Device Keys is enabled in your SSO extension profile. See Update your single sign-on extension profile.
- To enforce or attempt a password sync in the FileVault window, the computer must be connected to a known network (a network the computer has successfully connected to before). See FileVault network requirements.
Policy settings for Unlock, Login, and FileVault windows
With Apple's new authentication policies, you can specify authentication requirements. You can set each policy to either RequireAuthentication, AttemptAuthentication, or leave it blank. On macOS Sonoma (14) or Ventura (13), the default is blank.
The policies outlined here work only for the password authentication method.
Authentication policies
| Policy name | Description |
|---|---|
| RequireAuthentication | This policy requires a successful Okta authentication before granting access to the user. The user is denied access if the Okta authentication isn't successful, for any reason. If the Okta server is unreachable due to internet connectivity issues, the user is locked out. Set the AllowOfflineGracePeriod flag to avoid this issue. This flag disables TouchID at the unlock screen. To allow TouchID to access a locked computer, AllowTouchIDOrWatchForUnlock must be enabled. This policy applies to unregistered local macOS accounts. Unless these accounts are included in the NonPlatformSSOAccounts group or the AuthenticationGracePeriod policy is active, users are denied access. The policy takes effect when registration begins. If registration fails and users log out or lock their device, they're locked out unless a grace period is configured. |
| AttemptAuthentication | This policy attempts to authenticate with Okta before granting access to the user. If the Okta authentication fails due to an incorrect password, access is denied. However, if the Okta authentication fails for a different reason (server can't be reached, expired password, user or device status is invalid, or the user hasn't been assigned the app), the password is verified locally. |
| None | If neither RequireAuthentication or AttemptAuthentication are set, the framework falls back to the default behavior: the password is checked locally. If it matches, the user is granted access. If the local password doesn't match, it's checked against Okta. |
If the user's local password is synced at the FileVault or login window, the operating system prompts the user to enter their old Mac password to unlock the keychain. If the user doesn't remember the password, their password can still be synced, but the previous keychain, all protected data, and previous Okta FastPass enrollments become inaccessible. This action can't be reversed. Advise your users to read the warnings carefully and contact an admin for support.
Grace period policies
FileVaultPolicy, LoginPolicy, and UnlockPolicy allow you to specify a grace period for offline and unregistered scenarios. For configuration details, see Apple's Device Management properties for Platform SSO.
NonPlatformSSOAccounts provides a list of local accounts that aren't subject to the FileVaultPolicy, LoginPolicy, or UnlockPolicy. These accounts aren't prompted to register for Platform SSO.
| Policy name | Description |
|---|---|
| AlowOfflineGracePeriod | Allows offline authentication after validating the password locally. This policy requires an OfflineGracePeriod to be set. If the device is online, then AllowOfflineGracePeriod is bypassed and the behavior is determined by the authentication policies as configured in the previous section. See Authentication policies. This policy is similar to the LoginPeriodWithOfflineFactor Desktop MFA policy. |
| OfflineGracePeriod | The amount of time, in seconds, the local account password can be used offline after a successful Okta authentication. |
| AllowAuthenticationGracePeriod |
This policy allows users to unlock their unregistered local macOS accounts by validating the password locally. This policy requires AuthenticationGracePeriod to be set. This policy is similar to the LoginPeriodWithoutEnrolledFactor Desktop MFA policy. |
| AuthenticationGracePeriod | This policy indicates the amount of time, in seconds, that unregistered local accounts can be used to unlock or sign into the computer after the FileVaultPolicy, LoginPolicy, or UnlockPolicy is triggered. The timer countdown starts when the user begins the registration process, whether the registration was successful or not. |
FileVault network requirements
To enforce or attempt a password sync in the FileVault window, the computer must be connected to a known network. For FileVault, the network the computer connects to must already be present. A new network connection isn't allowed. The following network conditions apply:
WiFi connections
- Open or WPA2 Personal are the only network types that work for FileVault.
- The computer must have previously connected to the network successfully.
- The following network types won't work, as the secrets for these networks are stored in the system or device keychain and are inaccessible until the drive is decrypted:
- Captive Portal Networks of any form (any network that presents a web page to interact with before providing connectivity)
- WEP or WPA3 Personal
- Any form of WPA Enterprise network (RADIUS 802.1x)
Ethernet connections
- Open network access is required. RADIUS 802.1x authentication isn't supported.
- If the computer uses a USB Ethernet adapter, the user must have the adapter and computer configured to work on a specific USB port. See Use the ports on your Mac for more information.
- If an MDM profile that allows for unrestricted USB access has been pushed to the computer before attempting to connect at the FileVault screen, any USB-based Ethernet adapter should be able to connect to an accepted network.