Configure Desktop Password Sync for macOS 15

Desktop Password Sync now supports macOS 15 Sequoia, which extends Platform Single Sign-on (Platform SSO) authentication to FileVault. This is in addition to the Unlock and Login windows that were previously supported.

New authentication policies are available to enforce stronger authentication requirements. With these policies, users can authenticate, sync their local password with their Okta password, and securely sign in to FileVault. The Desktop Password Sync experience now includes the FileVault interface.

If your org includes macOS computers running macOS 14 Sonoma or later, you can migrate your Desktop Password Sync solution for macOS 15 Sequoia. Your users are asked to re-enroll in Desktop Password Sync after migration.

FileVault Platform SSO is supported only on physical Mac computers with Apple silicon. See Mac computers with Apple silicon.

Prerequisites

To prepare for Desktop Password Sync for macOS 15 Sequoia, ensure that you meet these requirements:

Desktop Password Sync is configured correctly. See Create and configure the Platform Single Sign-on app.
The latest version of Okta Verify for macOS is installed in your org. You can get the latest artifact from the Admin Console. Go to Settings Downloads, and download Okta Verify for macOS. To check the Okta Verify version, users right-click the Okta Verify icon in their computer's system tray, and then click About.
Device Access SCEP certificates are configured for Platform SSO. See Device Access SCEP certificates.
Your device management profiles are configured for Platform SSO.
- Check that PlatformSSO.ProtocolVersion is set to 2.0 in the device management profile for your com.okta.mobile.auth-service-extension domain.
- Confirm that Use Shared Device Keys is enabled in your SSO extension profile. See Update your single sign-on extension profile.
To enforce or attempt a password sync in the FileVault window, connect the computer to a known network. See FileVault network requirements.

Policy settings for Unlock, Login, and FileVault windows

With Apple's new authentication policies, you can specify authentication requirements. You can set each policy to either RequireAuthentication, AttemptAuthentication, or leave it blank. On macOS 13 Ventura or macOS 14 Sonoma, the default is blank.

The policies outlined here work only for the password authentication method.

Authentication policies

Policy name	Description
RequireAuthentication	This policy requires a successful Okta authentication before granting access to the user. The user is denied access if the Okta authentication isn't successful, for any reason. If the Okta server is unreachable due to internet connectivity issues, the user is locked out. Set the AllowOfflineGracePeriod flag to avoid this issue. This flag disables Touch ID at the Unlock screen. If you want to allow Touch ID access for a locked computer, you must enable AllowTouchIDOrWatchForUnlock. This policy applies to unregistered local macOS accounts. Unless these accounts are included in the NonPlatformSSOAccounts group or the AuthenticationGracePeriod policy is active, users are denied access. The policy takes effect when registration begins. If registration fails and users sign out or lock their device, they're locked out unless you configure a grace period.
AttemptAuthentication	This policy attempts to authenticate with Okta before granting access to the user. If the Okta authentication fails due to an incorrect password, access is denied. If the Okta authentication fails for a different reason, the password is verified locally. Examples of authentication fails include: The server can't be reached The password is expired The user or device status is invalid The user hasn't been assigned the app
None	If you haven't set either RequireAuthentication or AttemptAuthentication, the framework falls back to the default behavior and the password is checked locally. If it matches, the user is granted access. If the local password doesn't match, it's checked against Okta.

Policy name

Description

RequireAuthentication

This policy requires a successful Okta authentication before granting access to the user. The user is denied access if the Okta authentication isn't successful, for any reason.

If the Okta server is unreachable due to internet connectivity issues, the user is locked out. Set the AllowOfflineGracePeriod flag to avoid this issue.

This flag disables Touch ID at the Unlock screen. If you want to allow Touch ID access for a locked computer, you must enable AllowTouchIDOrWatchForUnlock.

This policy applies to unregistered local macOS accounts. Unless these accounts are included in the NonPlatformSSOAccounts group or the AuthenticationGracePeriod policy is active, users are denied access. The policy takes effect when registration begins.

If registration fails and users sign out or lock their device, they're locked out unless you configure a grace period.

AttemptAuthentication

This policy attempts to authenticate with Okta before granting access to the user. If the Okta authentication fails due to an incorrect password, access is denied.

If the Okta authentication fails for a different reason, the password is verified locally.

Examples of authentication fails include:

The server can't be reached
The password is expired
The user or device status is invalid
The user hasn't been assigned the app

None

If you haven't set either RequireAuthentication or AttemptAuthentication, the framework falls back to the default behavior and the password is checked locally.

If it matches, the user is granted access.

If the local password doesn't match, it's checked against Okta.

If the user's local password is synced at the FileVault or sign-in window, the operating system prompts the user to enter their old Mac password to unlock the keychain. Their password can still be synced if the user doesn't remember it, however all protected data, the previous keychain, and any prior Okta FastPass enrollments become inaccessible.

You can't reverse this action, so advise your users to read the warnings carefully and contact an admin for support.

Grace period policies

FileVaultPolicy, LoginPolicy, and UnlockPolicy allow you to specify a grace period for offline and unregistered scenarios. For configuration details, see Apple's Device Management properties for Platform SSO.

NonPlatformSSOAccounts provides a list of local accounts that aren't subject to the FileVaultPolicy, LoginPolicy, or UnlockPolicy. These accounts aren't prompted to register for Platform SSO.

Policy name	Description
AlowOfflineGracePeriod	This policy allows offline authentication after validating the password locally and requires that you set OfflineGracePeriod. If the device is online, then the AllowOfflineGracePeriod is bypassed and the authentication policies configured in the previous section determine the behavior. See Authentication policies. This policy is similar to the LoginPeriodWithOfflineFactor Desktop MFA policy.
OfflineGracePeriod	The amount of time that the user can use the local account password offline after a successful Okta authentication. The value is in seconds.
AllowAuthenticationGracePeriod	This policy allows users to unlock their unregistered local macOS accounts by validating the password locally. This policy requires that you set AuthenticationGracePeriod. This policy is similar to the LoginPeriodWithoutEnrolledFactor Desktop MFA policy.
AuthenticationGracePeriod	This policy indicates the amount of time that unregistered local accounts can unlock or sign in to the computer after the FileVaultPolicy, LoginPolicy, or UnlockPolicy is triggered. The timer countdown starts when the user begins the registration process, regardless of whether the registration was successful. The value is in seconds.

FileVault network requirements

To enforce or attempt a password sync in the FileVault window, the computer must be connected to a known network.

For FileVault, the network the computer connects to must already be present. A new network connection isn't allowed.

WiFi connections

The only network types that work for FileVault are Open or WPA2 Personal.
The computer must have previously connected to the network successfully.
You can't use the following network types, as the secrets for these networks are stored in the system or device keychain and are inaccessible until the drive is decrypted:
- Captive portal networks of any form (any network that presents a web page to interact with before providing connectivity)
- WEP or WPA3 Personal
- Any form of WPA Enterprise network (RADIUS 802.1x)

Ethernet connections

Open network access is required. RADIUS 802.1x authentication isn't supported.
If the computer uses a USB ethernet adapter, the user must have the adapter and computer configured to work on a specific USB port. See Use the ports on your Mac.
If an MDM profile that allows unrestricted USB access is pushed to the computer before attempting to connect at the FileVault window, any USB-based ethernet adapter can connect to an accepted network.

Next steps

Support your users