Login for Mac v21.04 configuration guide

Updated April 30, 2021

Login for Mac, available in SecureAuth IdP v9.3+ and the SecureAuth® Identity Platform v19.07+, adds SecureAuth’s multi-factor authentication to the Mac desktop and remote server login experience.

Release highlights

Read on to learn more about the new features in Login for Mac version 21.04.xx.

Read the Release notes to learn more.

New integrated Login for Endpoint configuration page in Identity Platform

Open the new Login for Endpoint page from the Identity Platform user interface to customize your Login for Endpoints user experience. The easy-to-use pages help you set up your operating system, the multi-factor methods, and even personalize your users' experience during authentication. (Existing customers will recognize the options that were manually set in the config.json file in previous releases.)

This feature is supported in Identity Platform version 21.04 or later only.

See Identity Platform and Login for Endpoints configuration for all the details.

New second-factor authentication methods added

You can now choose the following new 2FA methods: PIN and link-to-accept available for both SMS/text and email.

New methods are supported in Identity Platform version 21.04 or later only. See the following sections for details:

Disclaimers

  • The Identity Platform does not currently support duplicate usernames in multiple data stores. Login for Mac will not authenticate end users if their usernames are duplicated across multiple data stores.

  • Customers who want to use the pre-login questionnaire must create the questionnaire themselves. SecureAuth does not host this document; rather, SecureAuth enables customers to integrate their own questionnaire with the Identity Platform version 19.07+ and Login for Mac version 20.09.01+.

  • Login for Mac supports the samAccountName login name format if using Microsoft Active Directory; in this use case, userPrincipalName (UPN) is not supported.

UPN is supported at login if running Login for Mac with a non-AD profile store containing OATHSeed/OATHToken/PNToken. In this use case, samAccountName is not supported, so the multi-factor authentication lookup will fail and the user will be unable to use other multi-factor authentication methods.

Prerequisites

Administrator: Setup requirements

If you want to set up biometric authentication for your end users to authenticate by using face (iOS) or fingerprint recognition, the following are required:

  • When upgrading to the Identity Platform v19.07 or later, end users who already use the SecureAuth Authenticate app must reconnect their accounts to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition through the mobile app.

  • You can customize the Login for Windows experience by setting or changing configuration options in Identity Platform and Login for Endpoints configuration.

  • If you use a load balancer:

    When you use Push-to-Accept, Symbol-to-Accept, or Link-to-Accept MFA methods with Login for Mac, you must enable session persistence ("sticky sessions") on the load balancer to maintain state with the Identity Platform. Login for Mac supports cookie-based persistence only.

Setup requirements
  1. Ensure SecureAuth IdP v9.2 or later or SecureAuth Identity Platform 19.07 or later is running and is using a SHA2 or later third-party publicly trusted certificate bound to Microsoft Internet Information Services (IIS). For example, in the IIS Management Console's Default Web Site section, check the Site Bindings section to ensure the https/443 type and port settings have a valid and trusted SHA2 certificate selected in the SSL certificate field. The following example shows the SSL connection being terminated on the SecureAuth server.

    58065985.png

    Alternatively, you can also terminate the SSL connection on the load balancer, and then your publicly-trusted certificate will reside on the load balancer.

    Note

    Do not remove the SecureAuth certificates from the certificates console or the SecureAuth appliance will no longer function.

  2. Create a new Login for Endpoints application.

  3. Ensure target end user machines are running the minimum supported OS versions in the SecureAuth compatibility guide.

User account and Mac workstation requirements
  • The end user Active Directory profile must be accurately configured on the Mac so that the endpoint can retrieve the AD end user profile during the login process.

  • In an enterprise WiFi environment, before setting up Login for Mac on end user workstations, the system level policy must be configured to allow the Mac to connect to the enterprise WiFi. This setup lets Login for Mac obtain the OATH seed which is used to authenticate the end user.

  • If an end user is already using a YubiKey device for YubiKey multi-factor authentication on a SecureAuth Identity Platform realm, the OATH seed and associated YubiKey device must be removed from the end user's account to prevent a conflict when the end user attempts to use a YubiKey device for HOTP authentication. (See the steps under "End user multi-factor authentication" in the YubiKey HOTP Device Provisioning and Multi-Factor Authentication Guide to remove the YubiKey device from the user account profile.)

Note

If an end user is disabled on Active Directory, the local account will not know the history of the AD account, and the user will not be able to log on the Mac.

End user account and Mac workstation requirements

Important

Before installing Login for Mac

Your local username and password on the Mac must be the same as your Active Directory username and password. If you are using a different local username than your Active Directory username, contact your IT department to synchronize the IDs.

If the IDs are synchronized, be sure you can log on the Mac before installing Login for Mac.

First-time usage requirements

End users can log in without second-factor authentication for the number of days set by the administrator. This allows end users to log in with a password only so they can set up their two-factor authentication methods before they must authenticate to access their device. After end users set up 2FA, the following is the authentication workflow.

Login for Mac requires end users to use one OATH-based method (i.e., TOTP, YubiKey), if at least one method is available to end users. If at least one OATH-based method is not available to end users, they can use any other available method, but offline login will not be available.

To meet this requirement, end users must use one of the following accounts provisioned with a SecureAuth Identity Platform realm that enables their device to generate timed passcodes for multi-factor authentication:

Thereafter, end users can use Login for Mac to log in when working online and offline.

Additionally, consider the following requirements for end users:

  • If using face recognition, available for iOS mobile phones only, end users must complete the following:

    • Enable their iOS mobile phone Face Recognition setting

    • Download and set up the SecureAuth Authenticate App

    • Sites upgrading from SecureAuth v9.3 to the Identity Platform v19.07+: End users who already use the Authenticate app and want to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition must first reconnect the account for their mobile device.

  • If using fingerprint recognition, end users must complete the following:

    • Enable their iOS or Android mobile phone Fingerprint setting

    • Download and set up the SecureAuth Authenticate App

    • End users who already use the Authenticate app and want to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition must first reconnect the account for their mobile device.

Identity Platform and Login for Endpoints configuration

Use the following sections to set up your endpoint product with the cloud and hybrid model of SecureAuth Identity Platform version 21.04 or later. You will configure the Identity Platform to use Login for Endpoints.

If your team wants to use biometric identification (face (iOS only) or fingerprint recognition), you must complete the following set up. Only the Identity Platform v19.07 or later supports biometric identification; additionally, you must use the 2019 theme (see Setting the default theme for new realms).

Note

The following instructions are appropriate for the three endpoint products: Login for Windows, Login for Mac, and Login for Linux. Differences will be called out according to operating system.

Prerequisites

The following steps must be completed before you can set up MFA methods; some steps are specific to cloud and they are called out accordingly.

  1. Cloud: Download and install the SecureAuth Connector on your endpoint data store server to begin the Identity Platform deployment.

    See Data Stores for a discussion and prerequisites. See Install the SecureAuth Connector for prerequisites and steps.

  2. Add a data store.

    In your endpoint Data Store Properties, enter adminDescription in an unused ID field—Aux ID 3 for endpoints—and set the data format to plain text. Later in these steps, you will map this field to the OTP Validation Property, which is used for end user authentication.

Set up a policy

Policies in the Identity Platform allow you to define rules to authenticate and block your users to certain applications. See How policies are used in the Identity Platform to learn about policies.

If you have an existing policy or default policy that will meet your security needs, you can use that policy; otherwise, you can set up a new policy specifically for endpoints.

  1. Set up a policy for your endpoint.

    On the left side of the Identity Platform page, click Policies. Click Add new Policy and give the policy a name.

    policy_id_plat_2104.png
  2. Optional: Set up rules to prompt or skip MFA when end users authenticate by comparing rules like their country, group access, and more.

    Select the Authentication Rules tab. See Adaptive authentication rules settings in a policy to learn more about setting rules.

    auth_rules_in_policy.png
  3. In the Multi-Factor Methods tab, select the methods that you want to enable for the new endpoint policy you just created. The MFA methods will be available to your end users as their login workflow experience.

    Set Login Workflow to any workflow that contains "MFA Method" in it; Username & Password | MFA Method works well for most organizations.

    Select the MFA methods. See Define the login workflow and multi-factor methods settings for the policy to learn more about these methods. The following image shows the available MFA methods for the Username & Password | MFA Method workflow.

    l4e_mfa_methods.png
  4. Click Save Policy to save your work.

  5. Optional: Set up dynamic IP blocking rules to define how and when to block IP addresses that fail to log in with username entries. This setting applies to all policies where the rule is enabled.

    Select the Blocking Rules tab. See Dynamic IP Blocking settings to learn more about rules.

    Be sure to save any changes you make.

Set up Login for Endpoints

Use the Endpoint Details page to set up communication between the Identity Platform and your endpoint. You will configure the endpoint authentication and access information. You will then use the Aux ID you set previously to enable communication between the Identity Platform authentication API and the endpoint.

  1. On the left side of the Identity Platform page, click Login for Endpoint, and click the Endpoint Details tab.

    l4e_open.png
  2. On the Endpoint Details screen, set up the endpoint. Click Add Endpoint on the upper right of the page.

    endpoint_details_2104.png
    1. Provide a name for the endpoint.

    2. Optional: Provide a description for the endpoint.

    3. Select the name of the policy you created previously.

    4. Select the data store for this endpoint.

    5. Select the user groups that can access this application. Hint: Admins typically select Allow every group in your selected data stores to access this application. Additionally, you can add specific user groups only; for example, to let a test group use it for a short time period before adding more or all groups.

    6. Set the OTP validation property to the Auxiliary (Aux) ID you set in Data store integrations.

      You must specify an Aux ID to communicate with the Identity Platform to validate one-time passcodes (OTPs) from email, phone calls, SMS, Helpdesk, and Notification Passcode.

    7. Click Save, located on the bottom, right side of the page. Do not close the page.

    8. At the bottom of the page, an API Configuration section appears.

      Copy the Application ID and Application key and save them in a secure location where you can find them when needed.

      You cannot retrieve these API credentials again. If you lose them, you can get new secret keys from this page.

      api_config.png

      You can ignore the Endpoint URL link (in the horizontal red box) for now.

    9. Close the screen.

  3. Click the Installer Configuration tab and click Add Configuration to open the Installer Configuration Details page. You can customize the end user login experience in the installer configuration.

  4. Set up the installer configuration for your operating system in the General Settings tab. Fill in the fields with names that match your OS.

    genl_settings_instal_config.png
    1. Add a name for the installer configuration. The name will be displayed in a list that could be long, depending on how many endpoints you set up, so be sure to make the name easy to identify.

    2. Select the endpoint you created on the Endpoint Details page. This connects the endpoint to communicate with the Identity Platform through the API.

    3. Set Allow self-signed certificate only in test or lab environments where the server has a self-signed certificate. When set, all certificate validations will be turned off. The HTTP client then will accept valid certificates, self-signed certificates, expired certificates, certificates with invalid root. certificates without matching common names, etc. to establish communication.

      Do not set this option for production environments. In production, the option introduces critical security risks, namely the potential "Man in the middle" attack which grants users access to a system without validating their credentials, and lets unauthorized users steal OATH seeds. If the option is set in production, a warning message informs you that the option is enabled. 

      After installing an endpoint with this option set, it remains effective until the endpoint is uninstalled and then re-installed using a configuration file with this option cleared.

    4. Set Install Login for Endpoint without connection to Identity Platform, for example, to allow a third-party company to configure machines for your end users. If the third-party company does not have connectivity to the Identity Platform, this option enables them to complete the configuration.

      When set, be sure to set Grace Period and specify the number of days for password-only login. (Grace Period is located in the Multi-Factor Methods tab.)

      Alternatively, to achieve the same results for self-service password reset (SSPR) without a connection to the Identity Platform:

      • Clear Grace Period.

      • Set Enable adaptive authentications.

      • Clear Logging in with physical access.

      • Clear Logging in via remote desktop protocol.

    5. Set the operating system to match your OS.

    6. Set the type of endpoint you are setting up.

  5. Customize the login experience for your end users in the Multi-Factor Methods tab.

    Click Next Step on the bottom right of the page.

    Existing customers might recognize the following options, which were set in the config.json file in previous releases.

    installer_config_mfa.png
    • Self-service password reset-only mode

      Available on Windows OS only

      Use this option to set up a self-service password reset (SSPR) option for end users to select on their login screen.

      win_sspr.png

      Setting this option deactivates all other options on the page. If you want the Password Reset link plus all the Login for Windows features (MFA, adaptive engine, etc.), complete the following:

      • Clear Self-service password reset-only mode.

        This option is located at the top of the Multi-Factor Methods tab.

      • Set Enable update password link on the login interface, with a URL to the SSPR site added in the URL field.

        This option is located on the Personalization tab, in the Password Reset section.

        Specify either the SecureAuth Identity Platform realm or the web page URL the user can access for resetting a password.

    • Ask for second-factor authentication when run as Administrator

      Available on Windows OS only

      When cleared, users who log on as administrator (with "Run as administrator"), on the same machine used to log into a regular user account, will not be required to authenticate again.

      When set, users who log on as administrator (with "Run as administrator"), on the same machine used to log into a regular user account, will be required to authenticate again.

    • Enable passwordless authentication

      Available on Windows OS only

      When set, end users can use a fingerprint reader to authenticate by using any enrolled fingerprint.

      This setting does not enable the second factor biometric identification available to end users through the SecureAuth Authenticate app. On Login for Windows and Login for Mac, see "Use fingerprint recognition on mobile" for instructions; on Login for Linux, see "Approve login notification for fingerprint recognition."

    • Enable offline authentications

      Set this option if you want end users to be able to authenticate when offline.

      SecureAuth uses OATH seeds to validate OATH-based methods (for example, TOTP, HOTP) when end users log in. Most use cases require SecureAuth to store OATH seeds; if seeds are not stored, end users will not be able to log in while offline. In a scenario where, for example, a server is always online, you might not want to cache the OATH seed, to prevent the seed from leaking or being stolen.

    • Enable adaptive authentications

      This setting acts similar to Adaptive Authentication settings in SecureAuth Identity Platform, where you can restrict admins and users from logging in in several ways, for example, by username, group, IP, etc.

    • Suggests use of an OATH-based method on first login regardless of your Adaptive Policy settings

      Set this option to display a message that suggests end users authenticate for the first login by using an OATH-based method, such as TOTP, HOTP, etc. This ensures that they can log in when offline.

      Login for Endpoints requires end users to use one OATH-based method, if at least one method is available to end users. If at least one OATH-based method is not available to end users, they can use any other available method, but offline login will not be available.

    • Grace period

      Set this option to establish the number of days that end users can log into a machine with password-only.

      After end users set up their second-factor methods, they can dismiss the password-only login screen.

      For a detailed description with a use case, see "First login with password only."

    • Bypass interval

      When cleared, end users must authenticate with a second factor each time they log in.

      Set a custom duration in seconds; end users must authenticate with appropriate 2FA for their first log in, but won't need to authenticate again until the defined time period ends.

      For example, the time period is set for 32400 seconds (9 hours) and an end user logs out after working for 8.5 hours. That evening, the end user decides to log in and finish a few tasks. More than 9 hours have passed so the end user will need to authenticate with a second factor.

    • Logging in with physical access

      Login for Windows and Login for Mac: Set this option to require MFA when logging in by using the login screen with a workflow, such as Username | Password | 2FA; that is, not logging in remotely.

      Login for Linux: Set this option to allow a user to log into the same machine as a different user by using su or sudo.

    • Windows: Logging in via remote desktop protocol | Linux/Mac: Logging in via Remote Connection (SSH)

      Windows: Set this option to require multi-factor authentication when users log in via remote desktop protocol.

      Linux/Mac: Set this option to require multi-factor authentication when users log in through a remote console in a Secure Socket Shell (SSH) session.

    • Bypass Multi-factor Authentication when

      Set this option to allow users who need to log in as local admins to log in without being prompted for additional MFA.

      Users must belong to a local or domain group that you specify in the fill-in field. Add local users only to the local group. Group names are case sensitive and need to match AD exactly.

      Login for Windows and Login for Mac: Both endpoints supports the following syntax:

      • group name : For groups of the domain on which the machine is joined; for example, "BypassGroup"

        Note that group names must match Active Directory exactly.

      • domain\\groupname: For groups that are part of a specific domain; for example, "customerDomain\\BypassGroup"

      • .\\groupname: For local machine groups; for example, ".\\Administrators"

      Login for Linux: This endpoint supports the following syntax:

      • group name : For groups of the domain on which the machine is joined; for example, BypassGroup

        Note that group names must match Active Directory exactly.

      • group-name@group-domain: For remote groups, use this UPN format syntax; for example, BypassGroup@customerDomain.local

      • .\\groupname: For local machine groups; for example, .\\Administrators

  6. Personalize more of the user experience in the Personalization tab.

    Click Next Step on the bottom right of the page.

    personalization_tab.png
    • Customize error message

      Set this option to personalize the error message for end users who are locked out of their accounts. In the fill-in field, add your custom message, such as:

      For assistance, please contact Acme helpdesk at 949-555-1212, help@acmeco.com, or https://helpdesk.acmeco.com.

    • Request Timeout

      Set the timeout in seconds, 30 seconds by default, that the Login for Endpoint will wait for HTTP requests to respond. This option is useful to reduce network wait times because the endpoint ends a network connection after it reaches the specified timeout value when communicating through HTTP requests.

      For example, if the endpoint is trying to contact the Identity Platform, but cannot for any reason, the endpoint will end the network connection after the timeout value is reached; if not set, the endpoint will keep trying to reach the Identity Platform.

    • Auto add pre-logon access providers

      Available on Windows OS only

      Set this option to allow a pre-logon access provider so that end users can connect to VPN clients before logging into Login for Windows.

    • Hide retry options

      Available on Windows OS only

      Set this option to hide the button to retry the connection on the login screen when Login for Windows is offline.

    • Enable update password link on the login interface

      Available on Windows OS only

      Use this option to set up a self-service password reset (SSPR) option for end users to select on their login screen. Be sure the following options are set up correctly:

      • Set Enable update password link on the login interface, with a URL to the SSPR site added in the URL field.

        Specify either the SecureAuth Identity Platform realm or the web page URL the user can access for resetting a password.

      • Clear Self-service password reset-only mode.

        This option is located at the top of the Multi-Factor Methods tab.

    • Allow default operating system provider

      Available on Windows OS only

      Set this option to add the default credential provider on the login screen. This allows end users to log in by using a password and second factor with the SecureAuth credential provider or by using a only a password with the default credential provider.

      This option helps new teams starting out with Login for Windows to have a default credential provider option for end users to authenticate as a fallback.

    • Allow other credential providers

      Available on Windows OS only

      Set this option to specify if non-SecureAuth credential providers and other credential providers, such as card scanners, can be used. Be aware of the following items, especially the first bullet:

      • This option is only recommended in test environments, to let testers bypass Login for Windows so they can readily access their machines.

      • Users will be able to log in without using the Login for Windows credential provider, and potentially bypass multi-factor authentication.

      • Users will see their normal login prompt and will have to manually select a different login option to use Login for Windows

  7. Save your changes.

    Saving creates a configuration file, which contains all the customizations that you set.

    config_file_list.png
  8. Download the configuration file, which you will need during installation. The configuration file must reside in the same folder as the installer file that you will download in Installation.

    Click the download icon (in the image above, the left icon in the red box). The downloaded file is called config.json.

    If you open the config.json file, it will look like the following image, depending on the OS you are using and the customizations you set:

    {
        "platform": "linux",
        "version": "v2",
        "conf_version": 6,
        "allow_self_signed": false,
        "adaptive_enabled": true,
        "group_bypass": [],
        "store_seeds": true,
        "custom_error_message": "",
        "install_without_idp": false,
        "suggest_first_login": false,
        "request_timeout": 30,
        "apis": [
            {
                "host": "https://endpoints.secureauth.com/SecureAuth7",
                "id": "6bc7baa94e8e4b168edc8f6da8932175",
                "secret": "c817e6d6e5f7475d8ff801922dbfac409c8d84a39aa9f6973bd5f4a3913bd2e7"
            }
        ],
        "access_level": 0
    }

    Note

    Change any of your customizations in the Installer Configuration Details pages, then complete step 8 again. Any change you make requires an updated config.json file downloaded to your installation folder.

    Do not edit the config.json file directly unless instructed by SecureAuth Support.

  9. Your Login for Endpoint is set up with the Identity Platform. You are now ready to install the endpoint.

Pre-installation steps

Use the following settings to customize the Login for Mac experience.

Optional: Integrate the pre-login assessment service

Set up the pre-login assessment service to create a questionnaire that you can integrate with the Identity Platform and Login for Mac. End users will then see the questionnaire and provide answers prior to logging into Login for Mac.

Set up this option by completing the following instructions in the Login for Mac v20.09.02 configuration guide:

Private keys and PAM

If you use private keys with Pluggable Authentication Module (PAM), when end users attempt to access the remote server by using Secure Socket Shell (SSH), the PAM product is not prompted and the user can gain access without using a password and second factor. To resolve this issue, complete the following:

Modify the /etc/ssh/sshd_config file by adding the following line:

AuthenticationMethods publickey,keyboard-interactive:pam keyboard-interactive:pam

If you want to allow end users to log in with their username and password only for a set number of days, see Grace Period for set up and First login with password only for usage.

Optional: Enable and use multi-factor authentication for Remote Access (SSH)

  1. On the Mac, go to Settings, select Sharing, and then enable Remote Login.

  2. After making this setting, SSH into the machine via ssh username@hostname– example: ssh jsmith@170.17.0.150

  3. Enter your password, and you will be prompted for multi-factor authentication.

Installation and upgrade steps

The following steps describe installation and upgrade processes.

Warning

If you have installed a version of Login for Mac (for example, 20.09.02) and you upgrade your operating system to MacOS 11+ (Big Sur), you must run the Login for Mac installer again. This is to reinstall the authentication plugins that the operating system removes during the upgrade process.

Upgrade Login for Mac

Login for Mac supports upgrading from version 1.0.3 to 21.04.xx without uninstalling before installing the latest version.

Download the Login for Mac ZIP file to the specified folder

  1. Download the Login for Mac .zip file to the target machine.

  2. Unzip this file which contains the SecureAuthLogin-21.04.00.pkg and SecureAuthLogin-21.04.00-Uninstaller.pkg files.

  3. Copy these files to the same folder as the config.json file on the target machine.

Run the Login for Mac installer package

  1. Double-click SecureAuthLogin-21.04.00.pkg to start the installation wizard for the application.

  2. Log out of the target machine.

    NOTE: After this installation, SecureAuth Login for Mac appears on the next login session.

Login for Mac error logs

Error logs are displayed in the following locations.

  • Information related to installation is written in the install.log file:

    /var/tmp
  • Information related to logging in is written in the login.log file

    /Library/Application Support/com.secureauth.saap

The login.log file displays system information, such as the type and version of the operating system, the version of Login for Mac your organization is running, and more as shown in the following image:

60562968.png

After you view the login.log file, then connect later through RDP, you might notice what look like inconsistencies because the log file will have new start lines and threads. This is expected behavior because connecting through RDP causes new instances of the credential provider to be created, which causes the new start lines and threads.

Uninstallation

On the target machine, run the Login for Mac uninstaller package:

  • Double-click SecureAuthLogin-21.04.00-Uninstaller.pkg to start the uninstall wizard for the application, and then follow the instructions on screen.

Log files are not uninstalled; use them to assist with troubleshooting any issues with the uninstallation. After you have worked through any issues, you can delete the log files.

End user login experience

Important

  • The enterprise WiFi connection must be disabled on the Mac to log on to the domain. A public WiFi connection or a wired connection can be used for Internet access.

  • If you are included in a bypass group, you will need to wait for the network group to be fully connected before logging on.

First login with password only

End users can log in without second-factor authentication for the number of days set by the administrator in the Grace Period option. This allows end users to log in with a password only (without using second-factor authentication), and typically occurs after the Login for Mac installation. End users can then access their device to set up their two-factor authentication methods, such as PIN creation and answers to Security Questions, before they must authenticate to access their device.

Use case: Password-only login is useful for one or more new employees who have been issued a laptop on their first day of employment. For example, if Login for Mac is already installed on the laptops and the admin has not set the Grace Period option, new employees might not be able to log into their computer if they cannot connect to the SecureAuth Identity Platform realm to register their mobile phone or self-service page to enter a phone number.

Workflow: End users are prompted to log in with their username and password only. The login screen indicates the number of days end users can continue to log in with a password only on the machine, as shown in the following image.

End users who want to log in with a password only click No next to number 1 to display the password field and log in. After end users set up their second-factor methods, they are ready to authenticate so they click Yes next to number 2, which dismisses the password-only screen and opens the 2FA login screen. Thereafter, the 2FA login screen opens for end users.

69107855.png

If your site uses private keys with Pluggable Authentication Module (PAM), end users will see the following message when they log in with password only. End users who want to log in with a password only enter their password next to number 1 and enter No for number 2 and log in. After end users set up their second-factor methods, they are ready to authenticate so they enter Yes for number 2, which dismisses the password-only screen and opens the 2FA login screen. Thereafter, the 2FA login screen opens for end users.

69107835.png

Login without connection to Identity Platform

End users can log in when their machine does not have a connection to the Identity Platform if the Install Login for Endpoint without connection to Identity Platform and Grace Period options are set. This allows end users to log in with a password only (without using second-factor authentication).

Use case: Password-only login is useful if a third-party company configures machines for end users and the third-party company does not have connectivity to the Identity Platform. For example, if Login for Mac is installed on machines by a third-party without a connection to the Identity Platform, and the admin has not set the Install Login for Endpoint without connection to Identity Platform and Grace Period options, when new employees get their machine, they will not be able to log in.

Workflow: End users are prompted to log in with their username and password only. The login screen indicates the number of days end users can continue to log in with a password only on the machine, as shown in the following images.

End users whose machines are not connected to the Identity Platform should contact the admin first so they can copy the message next to number 1 and send it to their admin. End users can then click Continue next to number 2 on the UI to display the password field or enter a password on the PAM UI and log in. After the machine connects to the Identity Platform, the 2FA login screen opens for end users so they can set up their second-factor methods and log in.

69107856.png

If your site uses private keys with Pluggable Authentication Module (PAM), end users will see the following message when they log in with password only. The workflow is the same as in the previous "Workflow" paragraphs.

69107837.png

First-time login experience

If the administrator has set up a mandatory questionnaire for your organization to fill out prior to logging into Login for Mac, you will log in with a username and then you will be redirected to the questionnaire. After you fill out the questionnaire and submit it, close the browser to display the second-factor authentication screen.

  1. Enter your domain username and password on the Mac login screen.

    60575286.png

    The first time end users log in, Login for Mac shows only OATH-based methods (for example, TOTP, HOTP YubiKey), if at least one method is available to end users. If at least one OATH-based method is not available to end users, they can use any other available method. This could be a method that uses the SecureAuth Authenticate App on your mobile device or another device provisioned with the SecureAuth IdP realm to supply timed passcodes, such as an HOTP YubiKey.

    If end users need to login when their machine is offline, they must choose an OATH-based method during the first login. After end users select a timed authentication option and enter their password, TOTP and HOTP passcode options will be available for them to use when logging on the machine offline.

    The window pictured above appears only the first time you use Login for Mac.

    60575284.png

    End users with more than one mobile phone or YubiKey provisioned can select which device or token to use when online. When logging on the machine offline, any OATH-based method that was used online will be available for use.

    If you do not have an authentication method that provides an OATH-based method, then select any other option available to you.

    Optionally, check the Remember my selection box if you want to use this same authentication method the next time you log on the Mac.

  2. Enter the passcode that appears on the device, and then click Submit.

    After successfully logging on the Mac using a timed passcode, timed passcodes from that device can be used for login access when offline, i.e., when the Mac is not connected to the Internet.

  3. Log out of the Mac.

  4. Log back on the Mac, and select an authentication option from the list of multi-factor authentication methods for which you have previously enrolled.

    If your list of available authentication options is lengthy, you may need to scroll down the list if the option you want does not appear on the main page.

  5. Optionally, check the Remember my selection box if you want to use this same authentication method the next time you log on the Mac.

  6. Click Submit to access the Mac on the network.

    No matter which option you choose, you can return to this selection window by clicking the I want to choose a different two-factor authentication method link located at the bottom of each second-factor authentication screen.

    l4m_all_factors.png

    Authentication method workflows are described in the following sections.

SecureAuth Authenticate Mobile App options

The methods in this section are delivered via push notification and require the use of the SecureAuth Authenticate App.

In the following screens, you can show or hide the passcode so that, as you type, you see characters instead of dots.

  • Under the passcode field, clear the Hide passcode checkbox to see the passcode.

    l4m_hide_pw.png
  • Set the Hide passcode checkbox to hide the passcode.

Enter timed passcode from app

This method and "Enter passcode from YubiKey" are displayed at first login, if available. If not available, all available methods are displayed.

When selecting this option, the Enter Passcode window appears.

  1. Enter the OATH OTP from your SecureAuth OTP App.

  2. Click Submit to log on the Mac.

    l4m_totp_2104.png
Receive passcode from notification

When selecting this option, the Enter Passcode window appears.

  1. Enter the passcode that was sent to the SecureAuth Authenticate App on your mobile device.

  2. Click Submit to log on the Mac.

    l4m_otp_notifs_2104.png
Approve login notification for fingerprint recognition

When selecting this option, the Waiting for Your Approval window appears.

  • Accept the login notification sent to the SecureAuth Authenticate App on your mobile device to log on the Mac.

    60575277.png
Approve login notification for face recognition

This option is available for iOS only. When selecting this option, the Waiting for Your Approval window appears.

  • Accept the login notification sent to the SecureAuth Authenticate App on your mobile device to log on the Mac.

    60575275.png
Approve login notification for Symbol-to-Accept

When selecting this option, the Waiting for Your Approval window appears.

  1. Receive the set of 4 symbols sent to the Authenticate mobile app on your mobile device.

  2. One symbol will display on your Mac desktop or laptop.

  3. On the Authenticate mobile app, tap the symbol that matches the one displayed on your desktop or laptop. You are then logged on the Mac.

    60575273.png

SMS / Text Message

Receive passcode

When selecting this option, the Enter Passcode window appears.

  1. Enter the passcode sent via SMS to your mobile phone.

  2. Click Submit to log on the Mac.

    l4m_sms_2104.png
Receive link

When selecting this option, the Waiting for Your Approval window appears.

  1. Tap the login link request sent via SMS to your mobile phone.

  2. The following page will close after the login request is verified.

    l4m_l2a_sms.png

Email

Receive passcode

When selecting this option, the Enter Passcode window appears.

  1. Enter the passcode sent to your email address.

  2. Click Submit to log on the Mac.

    60575269.png
Receive link

When selecting this option, the Waiting for Your Approval window appears.

  1. Tap the login link request sent to your email address.

  2. The following page will close after the login request is verified.

    l4m_l2a_email.png

Voice Call

Receive passcode

When selecting this option, the Enter Passcode window appears.

  1. Enter the passcode received from the phone call.

  2. Click Submit to log on the Mac.

    l4m_phone_call_2104.png

Additional methods

Contact the help desk

When selecting this option, the Enter Passcode window appears. (The phone number in the image below is an example only.)

  1. If more than one phone number displays for the help desk, select the phone number to use for contacting the help desk.

  2. Input the passcode supplied by the help desk.

  3. Click Submit to log on the Mac.

    l4m_helpdesk_2104.png
Enter passcode from token

This method and "Enter timed passcode from app" are displayed at first login, if available. If not available, all available methods are displayed.

When selecting this option, the Enter Passcode window appears.

  1. With the YubiKey HOTP device inserted in the machine, tap or press the device to populate the passcode in the field.

  2. Click Submit to log on the Mac.

    l4m_hotp_2104.png
Enter passcode from YubiKey (Yubico OTP protocol)

When selecting this option, the Enter Passcode window appears.

  1. With the YubiKey OTP device (Yubico OTP protocol) inserted in the machine, tap or press the device to populate the passcode in the field.

  2. Click Submit to log on the Mac.

    l4m_yubico_otp_2104.png
Enter passcode from YubiKey

When selecting this option, the Enter Passcode window appears.

  1. With the YubiKey OATH-TOTP device inserted in the machine, tap or press the device to populate the passcode in the field.

  2. Click Submit to log on the Mac.

    l4m_yubico_totp_2104.png
Enter PIN

When selecting this option, the Enter Passcode window appears.

  1. Enter your predefined personal identification number (PIN).

  2. Click Submit to log on the Mac.

    l4m_pin_2104.png
Enter answers to Security Questions

When selecting this option, the Answer Security Questions window appears.

  1. Answer both questions with your predefined answers. You must answer both questions.

  2. Click Submit to log on the Mac.

    l4m_security_questions_2104.png

Troubleshooting

Use the topics in this section to help you problem-solve.

Admin needs to view log information

End users receive the following message that Login for Mac encountered an error and are guided to continue with their login. Admins are guided to check the system log or the login.log file for details.

69107975.png

The following steps describe how to gain more information from the logs.

View further information about the error.

  • In Login for Mac, open the login.log file, located in /Library/Application Support/com.secureauth.saap. Enter the following command:

    log show --last [number] --predicate 'subsystem = "com.secureauth.saap"'

  • If running a PAM product, enter the following command:

    log show --last [number] --predicate 'subsystem = "com.secureauth.pam"'

where

--last [number][m|h|d] enables you to set a time period to limit the captured events from the present to the previous minutes, hours, or days. If [m|h|d] is not specified, the specified time is rendered in seconds.

Example 1: To limit the output in the log file to the last 5 minutes, use the following value: --last 5m

Example 2: To limit the output in the log file to the last 45 seconds, use the following value: --last 45