Login for Mac configuration guide

Updated April 18, 2022

Login for Mac adds multi-factor authentication to the login experience for the Mac desktop and remote server. This endpoint configuration is available in SecureAuth IdP 9.3 and the SecureAuth® Identity Platform release 19.07 or later.

This guide applies to Login for Mac versions 21.04 or later.

For a summary of release information, see Login for Mac release notes

Disclaimers

Duplicate usernames

The Identity Platform does not currently support duplicate usernames in multiple data stores. Login for Mac will not authenticate end users if their usernames are duplicated across multiple data stores.

Pre-login assessment service

Customers who want to use the pre-login assessment service must create the questionnaire themselves. SecureAuth does not host this document; rather, SecureAuth enables customers to integrate their own questionnaire with the Identity Platform release 19.07 or later, and Login for Mac release 20.09.01 or later.

samAccountName login support

Login for Mac supports the samAccountName login name format if using Microsoft Active Directory; in this use case, userPrincipalName (UPN) is not supported.

UPN is supported at login if running Login for Mac with a non-AD profile store containing OATHSeed/OATHToken/PNToken. In this use case, samAccountName is not supported, so the multi-factor authentication lookup will fail and the user will be unable to use other multi-factor authentication methods.

Process

To set up Login for Mac in the Identity Platform, the following is an outline of the process.

Task A: Review prerequisites

Before you configure Login for Mac in the Identity Platform, review the prerequisites as an administrator and for your end users.

See the Prerequisites for Login for Mac.

Task B: Configure Identity Platform and Login for Endpoints

Set up the Login for Endpoints configuration in the Identity Platform. This sets up the communication between the Identity Platform and the endpoint for user authentication and access.

See Configure Identity Platform and Login for Endpoints

Task C: (Optional) Integrate pre-login assessment service

You can optionally add a pre-login questionnaire to determine user risk before allowing login access. For example, ask COVID-19 health questions to determine user risk and allow or block users from onsite access to a work computer.

See Integrate pre-login assessment service

Task D: (Optional) Set up private keys and PAM

If you use private keys with Pluggable Authentication Module (PAM), when end users attempt to access the remote server by using Secure Socket Shell (SSH), the PAM product is not prompted and the user can gain access without using a password and second factor.

To resolve this issue, complete the following:

Modify the /etc/ssh/sshd_config file by adding the following line:

AuthenticationMethods publickey,keyboard-interactive:pam keyboard-interactive:pam

If you want to allow end users to log in with their username and password only for a set number of days, set the Grace Period and see the First login with password only section in the End user login experience for Mac topic for usage.

Task E: (Optional) Enable and use multi-factor authentication for Remote Access (SSH)

For this option, set the following.

  1. On the Mac, go to Settings, select Sharing, and then enable Remote Login.

  2. After making this setting, SSH into the machine via ssh username@hostname. For example, ssh jsmith@170.17.0.150

  3. Enter your password, and you will be prompted for multi-factor authentication.

Task F: Install and upgrade Login for Mac

Download and install or upgrade Login for Mac to the target workstation.

See Install and upgrade Login for Mac. This topic also includes uninstallation information.