Login for Mac configuration guide
Updated August 2, 2022
Login for Mac adds multi-factor authentication to the login experience for the Mac desktop and remote server. This endpoint configuration is available in SecureAuth IdP 9.3 and the SecureAuth® Identity Platform release 19.07 or later.
This guide applies to Login for Mac versions 21.04 or later.
For a summary of release information, see Login for Mac release notes
For compatibility information, see SecureAuth compatibility guide.
Disclaimers
- Duplicate usernames
The Identity Platform does not currently support duplicate usernames in multiple data stores. Login for Mac will not authenticate end users if their usernames are duplicated across multiple data stores.
- Pre-login assessment service
Customers who want to use the pre-login assessment service must create the questionnaire themselves. SecureAuth does not host this document; rather, SecureAuth enables customers to integrate their own questionnaire with the Identity Platform release 19.07 or later, and Login for Mac release 20.09.01 or later.
- samAccountName login support
Login for Mac supports the samAccountName login name format if using Microsoft Active Directory; in this use case, userPrincipalName (UPN) is not supported.
UPN is supported at login if running Login for Mac with a non-AD profile store containing OATHSeed/OATHToken/PNToken. In this use case, samAccountName is not supported, so the multi-factor authentication lookup will fail and the user will be unable to use other multi-factor authentication methods.
Process
To set up Login for Mac in the Identity Platform, the following is an outline of the process.
Task A: Review prerequisites
Before you configure Login for Mac in the Identity Platform, review the prerequisites as an administrator and for your end users.
See the Prerequisites for Login for Mac.
Task B: Configure Identity Platform and Login for Endpoints
Set up the Login for Endpoints configuration in the Identity Platform. This sets up the communication between the Identity Platform and the endpoint for user authentication and access.
Task C: (Optional) Integrate pre-login assessment service
You can optionally add a pre-login questionnaire to determine user risk before allowing login access. For example, ask COVID-19 health questions to determine user risk and allow or block users from onsite access to a work computer.
Task D: (Optional) Set up private keys and PAM
If you use private keys with Pluggable Authentication Module (PAM), when end users attempt to access the remote server by using Secure Socket Shell (SSH), the PAM product is not prompted and the user can gain access without using a password and second factor.
To resolve this issue, complete the following:
Modify the /etc/ssh/sshd_config
file by adding the following line:
AuthenticationMethods publickey,keyboard-interactive:pam keyboard-interactive:pam
If you want to allow end users to log in with their username and password only for a set number of days, set the Grace Period and see the First login with password only section in the End user login experience for Mac topic for usage.
Task E: (Optional) Enable and use multi-factor authentication for Remote Access (SSH)
For this option, set the following.
On the Mac, go to Settings, select Sharing, and then enable Remote Login.
After making this setting, SSH into the machine via
ssh username@hostname
. For example,ssh jsmith@170.17.0.150
Enter your password, and you will be prompted for multi-factor authentication.
Task F: Install and upgrade Login for Mac
Download and install or upgrade Login for Mac to the target workstation.
See Install and upgrade Login for Mac. This topic also includes uninstallation information.