Update Desktop Password Sync for macOS 14

If your org has configured Desktop Password Sync and you have macOS computers running macOS Sonoma (14.0) or later, you can migrate your existing Desktop Password Sync installation to use Platform Single Sign-On 2.0 (Platform SSO 2.0). Your users will be asked to re-enroll in Desktop Password Sync after migrating.

To use Desktop Password Sync with Platform SSO 2.0, your macOS computers need to be running macOS Sonoma (14.0) or later. If your org has a mix of macOS computers on different operating systems, you need to configure separate instances of Desktop Password Sync for users on macOS Ventura (13.0) and macOS Sonoma (14.0).

Tasks

The steps outlined here must be followed in the order they're listed to avoid configuration issues.

Update Okta Verify for macOS

Desktop Password Sync is part of Okta Device Access, which uses Okta Verify for device registration and user authentication. In the Admin Console, go to SettingsDownloads and download Okta Verify for macOS. You must download the Okta Verify package from the Admin Console and not from an App Store. If the Okta Device Access product has been enabled for your org, Desktop Password Sync can be configured and deployed. Contact your account representative for more information.

After Okta Verify has been updated, continue to the next step.

Configure Device Access SCEP certificates

Apple’s Platform Single Sign-On 2.0 requires the configuration of Simple Certificate Enrollment Protocol (SCEP) certificates for macOS. These certificates deploy with your mobile device management (MDM) software, and are used to grant access to API endpoints and to identify the device to Okta when making calls to API endpoints. If your org isn't using Platform SSO 2.0, SCEP certificates aren't required.

Review and complete the steps in Set up Device Access SCEP certificates, then return here to continue the Desktop Password Sync upgrade.

Update your device management profile

Using Platform Single Sign-On 2.0 with Okta Desktop Password Sync requires you to make some configuration changes to your existing device management profile.

  1. In your MDM, locate the device management profile for the com.okta.mobile.auth-service-extension domain.

  2. Edit the profile and add the following:

    Copy
    <key>PlatformSSO.ProtocolVersion</key>
    <string>2.0</string>
  3. Save the profile.

  4. If you're presented with an option to push the updated profile to your users, do this now.

Update your single sign-on extension profile

Using Platform Single Sign-On 2.0 with Okta Desktop Password Sync requires you to make some configuration changes to your existing single sign-on extension profile.

  1. In your MDM, locate the single sign-on extension profile.

  2. Edit the profile. Set the Use Shared Device Keys setting to Enabled.

  3. Leave all other existing properties as they are.

  4. Save the profile.

  5. If you're presented with an option to push the updated profile to your users, do this now.

After Shared Device Keys has been enabled, users receive a notification asking them to update their registration. This will take the user through the Desktop Password Sync registration process to sync their Okta password to their macOS account.

You can track which users have completed the registration update by running the following query in System Log reports, located on the Admin Dashboard:

Copy
eventType eq "device.password_sync.enrollment.create" and target.detailEntry.PlatformSsoProtocol eq "2.0"

Next steps

Support your Desktop Password Sync users