Okta Device Access – Desktop Password Sync for macOS

This is an Early Access feature. To learn how to enable it, see Manage Early Access and Beta features.

Introduction

With macOS Ventura, Apple introduced Platform SSO, which enables developers to create a single sign-on (SSO) extension that interacts directly with the macOS login window.
This extension enables users to link their local macOS account with their Identity provider through a simple, Mac-native workflow.
Okta has led the way in adopting this with the upcoming Desktop Password Sync feature under the Okta Device Access offering, allowing users to authenticate themselves using their Okta credentials directly from the macOS login screen. 

Desktop Password Sync not only synchronizes the local macOS account password with their Okta password but also enrolls users to Okta’s phishing-resistant and passwordless authenticator, FastPass.
With Okta FastPass, users can now experience passwordless authentication to their organization’s resources using biometrics.

In this blog I would like to guide your through the setup and enrollment steps.

Prerequisites

  • Your Okta Identity Engine org is available.
  • Your macOS computers are running a minimum of macOS Ventura (13.0).
    Version 13.5 is recommended for the best user experience.
  • The Okta Verify authenticator is set up in your org.
  • Devices must be enrolled in a mobile device management (MDM) software that supports deployment of payloads.
    In this blog we are using VMware Workspace ONE as the MDM solution
  • The Desktop Password Sync application is available for your organization.
  • Optional: If your org requires biometrics for user authentication, then users must have Touch ID set up before starting the Desktop Password Sync enrollment flow.

Create and configure the Desktop Password Sync app integration

In the Okta Admin Console, go to Applications > Applications > Catalog.

Search for Desktop Password Sync and select the app.

Click Add integration.

Open Desktop Password Sync from your Applications list to configure it.
On the General tab, you can edit the application label or use the default one.

On the Sign on tab, make note of the Client ID.
You need this when creating the managed app configuration in your
Workspace ONE environment. (MDM)

Assign the app to individual users or groups on the Assignments tab.
Users must be assigned the app to use Desktop Password Sync.

Deploy the Okta Verify App

In this section I will not cover how to prepare a App for Deployment, as you will need to download the Workspace ONE Admin Assistant Tool and prepare the Okta Verfiy App for deployment through Workspace ONE UEM.
I have already performed these steps upfront

Log in to your VMware Workspace ONE Console.


Navigate to Resources, then select Apps.

Click Internal, from the Add dropdown menu, select Application File.

Click Upload and select Choose File. Navigate to the folder and choose the DMG file and click Upload.

After the upload has been completed, click Continue.
You will upload the Metadata file by clicking Upload and choosing the PLIST file from the same folder. Click Save and after the upload has been completed click Continue.

Now Click Save & Assign and

  • Enter a name for the assignment. For example macOS_OV9
  • Click in the Assignment Group section and select an assignment group.
    The selected group appears underneath the text box.
  • Select a time and date to begin the deployment if you do not want to begin immediately.
  • Select Auto to deliver the app automatically or On Demand (to deliver the app when requested by the user from the catalog).

When all assignments have been created, click Save and click Publish.

Create a Single Sign-On (SSO) extension profile

Now navigate to the Resources / Profiles & Baseline section.

Click Add Profile here.

Select Apple macOS.

Select Device Profile.

Name the profile with a name of your choice

Now we will create the SSO Extension Profile in Workspace ONE.
(Here you see an example)

In the next step we need to add the Associated Domains in this Profile
Enter the following:
– App Bundle ID: B7F62B65BN.com.okta.mobile.auth-service-extension
– Domains: (change to your domain): authsrv:YOURORG.oktapreview.com

In the next step, we need to create a device management profile.
A managed app configuration allows you to enable the functionality that is built into macOS Okta Verify and Desktop Password Sync.

Navigate to the Custom Settings Payload in your Profile and add the following
Custom Settings to the Profile.

Preference Domain com.okta.mobile

Note that $USERNAME is an optional value for OktaVerify.UserPrincipalName, which automatically populates the username in the Sign-In Widget.
If a value isn’t specified, users need to input their username when logging in.

Preference Domain com.okta.mobile.auth-service-extension

Make sure you set the URL to your Okta domain and the CLIENTID with the client ID found in the Desktop Password Sync app > Sign on tab in your Okta Tenant!

You can finde all information about the device management profile and generic MDM setup here.

When your Profile is ready, you need to assign it to the WS1 Smart Group, save and publish it to your devices.
In my example I am pushing the profile to all my macOS Devices.

Enroll your macOS in VMware Workspace ONE

Now that we have the Okta Verify App and all the MDM Profiles ready
we will enroll our macOS device into Workspace ONE.
In my example I am performing a manual Device Enrollment using Okta πŸ™‚
I’ve configured Okta as an Identity Provider in VMware Workspace ONE Access!

To start navigate to https://getwsone.com, download ind install
the Intelligent Hub on your macOS device.

Type in your Server Address and press Next

In the next screen type in your Group ID and press again Next

As I have configured Okta as the Identity Provider in the VMware environment I need to authenticate against Okta here.

In my example I will authenticate with Okta Verify Push.

After successful authentication we will continue with enrollment by pressing the Next
button in the Intelligent Hub App.

The Enrollment Profile will be downloaded .
(you can find it in System Settings β†’ Security & Privacy β†’ Profiles).

Double click on the MDM Profile and click Install.

Click Install again on the confirmation pop up.

You will be prompted for the username/password you created for the VM local user.

You should see the following Congratulations screen, so your macOS devices was successfully enrolled.
In the right section you see all MDM Profiles that were successfully distributed to the device.

and the Okta Verify App should also be installed successfully.

Registern User on Mac with ODA (The user journey)

The following Registration Required dialog box appears upon login or soon after.

Now hover

The following dialog will appear, One less password to remember, click the Set up button.

A browser window will open for you to authenticate to Okta.
Authenticate as the user for this macOS device as you would for any Okta login.
Note that the registration dialog stays open.

After the authentication you will see a β€œYour identity is verified” β€œYou can close this browser tab”.
The Registration dialog changes to say β€œAlmost there!”, click the Continue button.

The next step requires you to enter the macOS password. Enter the password and click OK.

Another dialog will appear Authentication Required, click the Sign In button.

In the final step, you now have to enter your Okta password and click the Sign In button

Nowyou can log out and log back in using your Okta password!

The whole registration process will register the user against Okta Verify.

Demo

In this Demo Video you can see the complete enrollment and registration process, enjoy! πŸ™‚

Okta Device Access – Desktop Password Sync- VMware Workspace ONE


Leave a Reply