Documentation

 

 

Updated November 12, 2019

Login for Mac, available in SecureAuth IdP version 9.2 and later, adds SecureAuth’s multi-factor authentication to the Mac desktop and remote server login experience.

See the Release notes to learn about new features and enhancements, and resolved issues

This product supports the following authentication methods:

  • Timed Passcode
  • Voice Call
  • Passcode sent via SMS / Text Message
  • Passcode sent via Email
  • One-time Passcode via Push Notification
  • Login Notification via Push Notification
  • YubiKey HOTP Device Passcode
  • YubiKey OATH-TOTP Device Passcode
  • YubiKey OTP Passcode 
  • Passcode from Help Desk
  • Knowledge-based Questions and Answers
  • Symbol-to-Accept
  • Fingerprint Recognition 
  • Face Recognition 

NOTE: Methods delivered via Push Notification require the use of the SecureAuth Authenticate App.

In addition to the supported multi-factor authentication methods, Login for Mac supports the following setups and features:

  • Offline mode login
  • Users in bypass group can skip multi-factor authentication
  • Bypass group lookup on a domain other than user's domain
  • Password expiration notification
  • Multiple login capability
  • Endpoint identified during login multi-factor authentication request
  • YubiKey HOTP and OATH-TOTP Device Passcodes and OTP Passcode (Yubico OTP protocol)
  • Security Questions (knowledge-based questions and answers)
  • Symbol-to-Accept
  • Fingerprint Recognition 
  • Face Recognition 
  • TOTP two-factor authentication
  • Installation API validation, to ensure successful login to Login for Mac
  • Adaptive Authentication

DISCLAIMERS:

  • Login for Mac supports the samAccountName login name format if using Microsoft Active Directory; in this use case, userPrincipalName (UPN) is not supported.

UPN is supported at login if running Login for Mac with a non-AD profile store containing OATHSeed/OATHToken/PNToken. In this use case, samAccountName is not supported, so the multi-factor authentication lookup will fail and the user will be unable to use other multi-factor authentication methods.



Prerequisites

Administrator: Setup requirements

1. Ensure SecureAuth IdP v9.2 or later is running and is using a SHA2 or later certificate bound to Microsoft Internet Information Services (IIS). For example, in the IIS Management Console's Default Web Site section, check the Site Bindings section to ensure the https/443 type and port settings have a valid and trusted SHA2 certificate selected, as shown in the following image:

2. Create a new realm or access an existing realm on which more than one multi-factor authentication is required.

NOTE: Do not configure this realm for Single Sign-on.

3. Configure these SecureAuth IdP Web Admin tabs: Overview, Data, Workflow, Multi-Factor Methods, Post Authentication, and Logs.

4. Ensure target end user machines are running any of the following, minimum supported OS versions:

  • macOS 10.13: High Sierra (Lobo)
  • macOS 10.14: Mojave (Liberty)
  • macOS 10.15: Catalina

NOTE: See SecureAuth Compatibility Guide for OS and SecureAuth IdP version support information.

User account and Mac workstation requirements

  • The end user Active Directory profile must be accurately configured on the Mac so that the endpoint can retrieve the AD end user profile during the login process.
  • In an enterprise WiFi environment, before setting up Login for Mac on end user workstations, the system level policy must be configured to allow the Mac to connect to the enterprise WiFi. This setup lets Login for Mac obtain the OATH seed which is used to authenticate the end user.
  • If an end user is already using a YubiKey device for YubiKey multi-factor authentication on a SecureAuth IdP realm, the OATH seed and associated YubiKey device must be removed from the end user's account to prevent a conflict when the end user attempts to use a YubiKey device for HOTP authentication. (See the steps under "End user multi-factor authentication" in the YubiKey HOTP Device Provisioning and Multi-Factor Authentication Guide to remove the YubiKey device from the user account profile.)

NOTE: If an end user is disabled on Active Directory, the local account will not know the history of the AD account, and the user will not be able to log on the Mac.

End users can be locked out of their Mac workstations because of network setup issues, misconfigured Login for Mac install, or end user Mac configuration issues.

Prevent and troubleshoot end-user lockouts
  • Network setup issues

Matching Active Directory profiles required

Active Directory must include an account profile for each end user, and that profile must match the AD profile set up on the Mac in order for the Mac endpoint to retrieve the AD profile.

  • Login for Endpoints installer misconfigured

Edits made in config.json file

If the configured config.json file is edited, ensure that Unicode characters, instead of UTF-8 characters, are not entered and saved in the file. This scenario might occur if text is copied from another source and pasted into the file, and could result in an end user being locked out of the Mac due to a misconfigured endpoint.

  • End user Mac configuration Issues

Misconfigured Active Directory profile on Mac

If the end user's new Mac has a misconfigured Active Directory account profile, the endpoint will not be able to retrieve the end user's AD profile to complete the login process.

Lockout with secure, automatic enterprise WiFi endpoint connection

If the endpoint is set to automatically connect to a secure, enterprise WiFi, and has not yet been configured to connect to a SecureAuth IdP realm, then the end user will be locked out of logging on the Mac.

In this scenario, the Mac may need to be reset by the administrative user who can bypass the login endpoint in order to reset the machine.

Lockout without OATH seed for YubiKey HOTP device or network connectivity

If a YubiKey HOTP device is used for logging on the Mac, but the machine does not have an OATH seed stored on it or network connectivity, then the endpoint must wait for an available network connection.

If the end user is attempting to log on for the first time, and the Mac does not have WiFi configured or is not using a wired connection, then the end user will be locked out of logging on the Mac.

End user account and Mac workstation requirements

IMPORTANT: Before installing Login for Mac

Your local username and password on the Mac must be the same as your Active Directory username and password. If you are using a different local username than your Active Directory username, contact your IT department to synchronize the IDs.

If the IDs are synchronized, be sure you can log on the Mac before installing Login for Mac.

First-time usage requirements

Login for Mac requires end users to use one OATH-based method (i.e., TOTP, YubiKey), if at least one method is available to end users. If at least one OATH-based method is not available to end users, they can use any other available method, but offline login will not be available. 

To meet this requirement, end users must use one of the following accounts provisioned with a SecureAuth IdP realm that enables their device to generate timed passcodes for multi-factor authentication: 

Thereafter, end users can use Login for Mac to log in when working online and offline.

Additionally, consider the following requirements for end users:

  • If using face recognition, available for iOS mobile phones only, end users must complete the following:
  • If using Fingerprint recognition, end users must complete the following:



SecureAuth IdP Web Admin configuration 

Use the following sections to set up Login for Mac with SecureAuth IdP version 9.2 or 9.3. 

If your team will set up and use Login for Mac with the cloud or hybrid model of SecureAuth Identity Platform version 19.07 or later, see SecureAuth Identity Platform configuration

Data tab

1. Create a realm and configure a data store on the Data tab.

2. In the Membership Connections Settings section, under Group Permissions, select True from the Advanced AD User Check dropdown. 

3. Select Bind from the Validate User Type dropdown.

4. In the Profile Fields section, enter adminDescription in an unused Aux ID field, Aux ID 3 in this example, and make the field Writable.

5. If using a single OATH seed for end user multi-factor authentication (see sample Post Authentication page image), then map Fields to OATH Seed and OATH Tokens Properties, as shown in the Profile Fields image below.

 See image from Post Authentication page showing Single OATH Seed setting...

 


SecureAuth recommends setting OATH Tokens. If OATH Tokens is not set, users might receive a failure message when attempting to authenticate by using TOTP after their device wakes from sleep mode while online. The failure occurs because a second factor method is sent at different times between the device being connected to the internet and disconnected from the internet, which causes the timed passcodes to be out of sync.

6. Click Save.

Optional: Adaptive Authentication tab

NOTE: Adaptive Authentication can be used to control the user login experience and to mitigate security risks.

The order of priority to handle user authentication login requests using Adaptive Authentication is as follows:

A. Threat Service

B. IP whitelist / blacklist

C. Geo-location (redirect option not available)

D. Geo-velocity (redirect option not available)

E. User / Group (redirect option not available)

NOTE: See Group Bypass configuration notes in the Login for Mac Installer configuration section for information about using Adaptive Authentication with the group bypass feature.

Multi-Factor Methods tab

7. In the Multi-Factor Configuration section, configure the multi-factor authentication methods you want enabled.

8. Click Save.

Optional: Security Questions setup

Set up Security Questions so users can authenticate by answering knowledge-based questions (KBQ). Security Questions gives users the option to log into devices without requiring a phone or token.

Follow steps in the Knowledge-based Authentication (KBA / KBQ) as 2-Factor Authentication Method Configuration Guide to set up knowledge-based questions for end users.

System Info tab

9. Open the web.config file, located at  D:\SecureAuth\SecureAuth1 on the appliance, and decrypt the web.config file.

10. Add the following line under <appSettings>:

    <add key="OTPFieldMapping" value="AuxID#" />

NOTE: In this example, AuxID3 is used because this Property was selected and configured on the Data tab in step 4.

11. Save the changes before exiting from the file.

API tab

12. In the API Key section, click Generate Credentials.

The API ID and API Key are required and used in the config.json file for all scenarios of using this product.

13. In the API Permissions section, select Enable Authentication API.

NOTE: It is not recommended to enable Identity Management options since the password reset function uses an IdP realm or third party password reset URL—not the Identity Management API.

14. Click Save once the configuration is complete.

15. Select Enable Login for Endpoints API, and then click Configure Login for Endpoints Installer.



SecureAuth Identity Platform configuration 

Use the following sections to set up Login for Mac with the cloud and hybrid model of SecureAuth Identity Platform version 19.07 or later.

If your team will set up and use Login for Mac with SecureAuth IdP version 9.2 or 9.3, see SecureAuth IdP Web Admin configuration.

You will configure the Identity Platform and the Classic IdP Experience to use Login for Mac. If your team wants to use biometric identification (face (iOS only) or fingerprint recognition), you must complete the following set up. Only the Identity Platform v19.07 and later supports biometric identification. You will set up the authentication API in the Classic IdP Experience; this is necessary until feature parity is achieved with the Identity Platform.

Prerequisites

The following steps must be completed before you can set up MFA methods; some steps are specific to cloud and they are called out accordingly. Most active sites will have performed the first two steps already and can begin at "Set up a policy."

1. Cloud: Download and install the SecureAuth Connector on your Windows data store server to begin the Identity Platform deployment.

See Data Stores for a discussion and prerequisites. See Install the SecureAuth Connector for prerequisites and steps.

2. Add a data store.

See Add an Active Directory data store or Add a SQL Server data store for steps.

In Map Data Store Properties, enter adminDescription in an unused  ID field—Aux ID 3 for endpoints—and set the data format to plain text. Later in these steps, you will map this field to the OTP Validation Property, which is used for end user authentication.

Set up a policy

Policies in the Identity Platform allow you to define rules to authenticate and block your users to certain applications. See How policies are used in the Identity Platform to learn about policies.

If you have an existing policy or default policy that will meet your security needs, you can use that policy; otherwise, you can set up a new policy specifically for endpoints.

1. Set up a policy for Login for Mac. 

On the left side of the Identity Platform page, click Policies. Click Add New Policy and give the policy a name. Add a minimum of two authentication rules.

2. Select the MFA methods that you want to enable for the new Login for Mac policy that you created in the previous step. The MFA methods will be available to your end users as their end user login workflow experience.

Open the policy you created in the previous step and select the Multi-Factor Methods tab. Define the login workflow and multi-factor methods settings for the policy and save the choices. The following image shows the available MFA methods available in Login for Mac. 

3. Optional: Set up rules to prompt or skip MFA when end users authenticate by comparing rules like their country, group access, and more.

On the policy page, select the Authentication Rules tab. See Adaptive authentication rules settings in a policy to learn more about setting rules.

If you make changes, be sure to save the changes.

4. Optional: Set up rules to evaluate behaviors that will cause an end user to be blocked from authenticating in. such as IP range, group access, and more.

On the policy page, select the Blocking Rules tab. See Blocking rules settings in a policy to learn more about rules.

If you make changes, be sure to save the changes.

5. Save the policy.

Add an application

Use the Application Manager tool to select an application template from over 500 applications in the library, then use the common components to customize each new application integration. See Application Manager overview to learn more.

1. Add a Security Assertion Markup Language (SAML) application. Later, you will edit the SAML application in the Classic IdP Experience to work with Login for Mac.

On the left side of the Identity Platform page, click Application Manager and then click Add an Application. On the list of applications, select SAML Application.

2. On the Application Details screen, set up the application to be used by endpoints products, such as Login for Mac or Login .

a. Provide a name for the application.

b. Provide a description for the application.

c. Select the name of the policy you created previously.

d. Select the data store for this application.

e. Select the user groups that can access to this application. Hint: Admins typically select Allow every group in your selected data stores to access this application. Additionally, you can add specific user groups only; for example, to let a test group use it for a short time period before adding more or all groups.

f. Click Continue.

3. On the Connections Settings screen, under IdP Signing Certificate, click Select Certificate. Select an IdP signing certificate. (You do not need to set up anything else on the page. You are setting up a realm to add endpoints options in the Classic IdP Experience.)

The IdP-initiated signing certificate integrates the SAML application with IdP so that the login process starts at the Identity Platform. 

After end users successfully authenticate, they are asserted back to the Login for Mac application.

4. Add the application.

On the Connections Settings screen, at the bottom, click Add Application. You will receive a success message when the application is added.

5. Check the Information for Service Providers screen to ensure the information is correct, and then click Continue to Summary.

6. Check the summary information. If you need to edit, click the pencil icon to the right of the field to be edited. Be sure to click Update Settings in each screen that you change.

API

Set up the authentication API in the Classic IdP Experience.

1. Open the Classic IdP Experience.

On the Identity Platform page, click the Admin pull-down menu and select Go to Classic Experience.

2. Search for the endpoints application you created previously.

3. Select the application you created previously.

4. Generate API credentials.

In the Admin Overview page, click the API tab on the top menu bar.

The Application ID and Application Key are required and used in the config.json file for all scenarios using Login for Mac. The Identity Platform contains an endpoints API; the config.json file calls the Identity Platform endpoints API.

On the top section, API Key, click Generate Credentials.

5. Set up the authentication API for Login for Mac. In the API Permissions section, complete the following:

a. Select Enable Authentication API.

b. Add Aux ID 3 to the OTP Validation Property to map it to the setting you completed in Map Data Store Properties.

c. Select Enable Login for Endpoints API, and then click Configure Login for Endpoints Installer.

6. Click Save, located on the left side of the page, at the bottom.



Login for Mac Installer Configuration 

1. On the Login for Endpoints Installer Configuration page, select Mac OS as the Endpoint Operating System.

2. Enter the IdP Hostname.

3. Under Multi-Factor Authentication Settings, specify whether or not the user must use multi-factor authentication to access the Mac from a desktop and / or via remote access from another Mac device.

If any user group is allowed to bypass multi-factor authentication, enable the bypass option and list the user group(s).

NOTE: A user group on another domain can be bypassed via the Mac authentication plugin and Pluggable Authentication Modules installed on the end user's workstation. In this scenario, the Open Directory API can be used by specifying the user group and domain.

4. If any user group is allowed to bypass multi-factor authentication, enable the bypass option and list the user groups.

a. Select Users are a member of the following groups. Add the user groups in the fill-in field.

b. Alternatively, you can add groups manually by adding the "group_bypass" key to the config.json file, described in Optional: Add groups that can bypass MFA

Group Bypass configuration notes:

  • If using Adaptive Authentication AND the group bypass feature, Adaptive Authentication takes precedence for handling the user's login request and group bypass is checked next.
  • Login for Mac supports the group bypass feature when users are online and offline. An internal group cache performs validations when AD is unreachable.
  • Users who need to log in without being prompted for additional MFA must belong to a local or domain group that is set up in the bypass option. Add local users only to the local group.
  • Only groups in the same domain as the computer can be bypassed.
  • The group specified must be a top-level group; nested groups are not supported.

If using a proxy bypass, you must configure the proxy server and proxy bypass list, which is a list of hosts to use to bypass the proxy.Proxy Server and Proxy Bypass List configuration notes:

The following order is used:

A. "proxy_server" and "proxy_bypass" configuration from config.json file. These settings are derived from entries made in the Web Admin Login for Endpoints Installer Configuration section. A "proxy_server" can be configured on the Mac OS, but if present as a root parameter in the config.json file, takes precedence over the OS setting. The format to configure the proxy is: "http://[user[:password]@]host[:port]\"

Parameters surrounded by [ ] are optional. Both "user" and "password" are not supported on HTTP clients on Login for Mac version 1.0.3 and earlier, or on 19.10 or later that choose to use the legacy HTTP client by setting "legacy_http_communication”: true in the config.json file. 

B. The "proxy_bypass" is a semicolon-separated list of server names or IP addresses to be excluded from proxy usage, for example: ".acme.sec;.lore.sec;.acme-ppi.com;10...;192.168.."

Each item in the list must be one of the following:

* Fully-qualified domain name (FQDN)

* Full IP address

* Partial IP address with the following forms: Class A example = 10.* or Class B example = .16. or Class C example = .168.*

* Sub-domain name of a parent domain, where the parent is " .parent.domain.name" The following is an example of a domain that uses direct communication with mail.google.com, but does not communicate with google.com itself: *.google.com

C. Mac proxy configuration. See the Enter proxy server settings on Mac article on the Apple website.

5. Click Download Installer Config to download the JSON file (config.json) that will be used with the PKG file, as described in the Installation section of this guide.

NOTE: Before installation, the config.json file must be edited if the end user is not always required to use multi-factor authentication for logging on a local console or remote console. See Set end user access level for access level settings and configuration. 

Also in this optional section, find information about enabling multi-factor authentication when using SSH for remote login access to a Mac.


Pre-installation steps 

Use the following settings to customize the Login for Mac experience. 

Private keys and PAM

If you use private keys with Privileged Access Management (PAM), when end users attempt to access the remote server by using Secure Socket Shell (SSH), the PAM product is not prompted and the user can gain access without using a password and second factor. To resolve this issue, complete the following:

Modify the /etc/ssh/sshd_config file by adding the following line:

AuthenticationMethods publickey,keyboard-interactive:pam keyboard-interactive:pam

Verify "allow_self_signed" setting

Setting "allow_self_signed" to true should be used only in test or lab environments where the server has a self-signed certificate.

  • When set to false, only valid certificates are accepted.
  • When set to true, all certificate validations will be turned off. The HTTP client then will accept valid certificates, self-signed certificates, expired certificates, certificates with invalid root. certificates without matching common names, etc. to establish communication.

Do not set this key to true in a production environment. In production, the key introduces critical security risks, namely the potential "Man in the middle" attack which grants users access to a system without validating their credentials, and lets unauthorized users steal OATH seeds. If the key is set to true in production, the following warning message is displayed:  Warning! 'allow_self_signed' is enabled.

Find the config.json file you downloaded in step 5 of the Web Admin Configuration section of this document, and verify the setting for "allow_self_signed". You may need to change this setting based on how users will log on your environment.

Note that after installing an endpoint with "allow_self_signed" set to true, this setting remains effective until Login for Mac is uninstalled and then re-installed using a configuration file with "allow_self_signed" set to false

Verify "version" setting

If you have set up an IdP realm to use HOTP or TOTP, set "version" to v2 in the config.json file. This keeps end users from receiving an error message that they must "change password at next login" or that their expired password fails without allowing them to change the expired password. You must also complete the settings in the Data tab

Find the config.json file you downloaded in step 5 of the Web Admin Configuration section of this document and edit it. Find the "version" key and set it to v2, as follows:

"version": "v2",

Login for Mac configuration options

Download the following PDF document, which contains a table of all configuration options for Login for Mac.  Be sure to check the configuration version listed under "conf_version," to ensure that the optional settings you want to use are supported. Login for Mac supports three configuration versions; the conf_version value (either 1, 2, or 3) defines the config.json file.

The options supported are listed in the following table. 

Optional: Set end user access level

Login for Mac by default requires the end user to use multi-factor authentication to access the local console and a remote console in an SSH session.

Before installing Login for Mac on the end user's (target) machine, the config.json file must be edited if you want to change the end user's login access level setting.

Change the user's access level

1. Find the config.json file that you downloaded in step 5 of the Web Admin Configuration section of this document, and copy that file to the Temp folder on the target machine.

2. Start a text editor such as Sublime Text and edit the access_level in the file, changing the value to a pertinent value:

  • 0 = Multi-factor authentication always required
  • 1 = Multi-factor authentication required for local access only
  • 2 = Multi-factor authentication required for remote access only
  • 3 = Multi-factor authentication never required. This setting is used by Adaptive Authentication to block a login event.

3. Save the configuration.

Optional: Enable failover to one or more backup SecureAuth IdP instances

Compatible with: conf_version 2 and later

You can set Login for Mac to failover to one or more alternate IdP instances automatically if the main IdP instance fails. You can specify up to five backup instances and set the order that they are used.

Find the config.json file you downloaded in step 5 of the Web Admin Configuration section of this document and edit it.

1. Specify the IdP instance to failover to by replacing the "api_id", "api_secret", and "host" keys with a new "apis" array.

2. In the config.json file, replace the "api_id" and "api_secret" keys and set the host to specify a single or multiple backup IdP instances.

To specify a single backup IdP instance, edit the file as follows:

    "apis":[ 
       { "id":"", "secret":"", "host":"https://localhost/secureauth#" }
    ],

Where secureauth# is your single backup IdP instance.

To specify multiple backup IdP instances, edit the file as follows: 

    "apis":[ 
       { "id": "", "secret":"", "host":"https://localhost/secureauth2" },
       { "id": "", "secret":"", "host":"https://localhost/secureauth3" }
    ], 

The backup IdP instance is chosen in the order listed in the array. An IdP instance must be online or it is ignored and the next instance is used. In the above example, "secureauth2" will be chosen first, then "secureauth3". 

Optional: Add groups that can bypass MFA

Compatible with: conf_version 1 and later

Users who need to log in as local admins without being prompted for additional MFA must belong to a local or domain group that is set up in the config.json file, in the "group_bypass" key. Add local users only to the local group. Users in this group must including a warning stating the group names are case sensitive and need to match AD exactly.

Find the config.json file you downloaded in step 5 of the Web Admin Configuration section of this document and edit it. Add the "group_bypass" key and set it as follows:

"group_bypass" can include the following:

  • group name : For groups of the domain on which the machine is joined; for example, "BypassGroup"
    Note that group names must match Active Directory exactly.
  • domain\\groupname: For groups that are part of a specific domain; for example, "customerDomain\\BypassGroup"
    The only domain allowed on the group bypass property is the domain where the machine hosting Login for Mac is installed.
  • .\\groupname: For local machine groups; for example, ".\\Administrators"

You can also set up bypass groups in the SecureAuth IdP API page, in the Multi-Factor Authentication Settings section, described in step 4b.

Optional: Enable and use multi-factor authentication for Remote Access (SSH)

1. On the Mac, go to Settings, select Sharing, and then enable Remote Login.

2. After making this setting, SSH into the machine via ssh username@hostname – example: ssh jsmith@170.17.0.150

3. Enter your password, and you will be prompted for multi-factor authentication.

Optional: Disable Adaptive login

Compatible with: conf_version 2 and later

The adaptive_enabled key is set to true by default so that administrators can install and modify Login for Mac. Disable this key to false to ensure that an admin or other user is never restricted. This key acts similar to Adaptive Authentication settings in SecureAuth IdP, where you can restrict admins and users from logging in in several ways, for example, by username, group, IP, etc.

  • If the option is not set or removed, the default behavior is the same as if it were set to true.

Find the config.json file you downloaded in step 5 of the Web Admin Configuration section of this document and edit it. Add the "adaptive_enabled" key and set it to false or reset it to true, as follows:

"adaptive_enabled": false
"adaptive_enabled": true

Optional: Disable OATH seed cache

Compatible with: conf_version 2 and later

SecureAuth uses OATH seeds to validate OTPs when end users log in. Most use cases require SecureAuth to store OATH seeds; if seeds are not stored, end users will not be able to log in while offline. In a scenario where, for example, a server is always online, you might not want to cache the OATH seed, to prevent the seed from leaking or being stolen.

Use the store_seeds key in the config.json file to disable the OATH seed cache, and Login for Mac will not store OATH seeds. The first-time login experience is disabled in this scenario because it is used to store OATH seeds, which are not required for this option.

  • The option is true by default.
  • If the option is removed, the default behavior is the same as if it were set to true.

Find the config.json file you downloaded in step 5 of the Web Admin Configuration section of this document and edit it. Add the "store_seeds" key and leave it true or set it to false, as follows:

"store_seeds": true 
"store_seeds": false



Installation and upgrade steps

Do not install Login for Mac version 1.0 on any MacOS Sierra machine (10.12.x) in a domain-joined system on which FileVault encryption is used on the boot volume. Doing so might render the operating system unbootable and require recovery. 

Upgrade Login for Mac

Login for Mac supports upgrading from version 1.0.3 to 19.10 without uninstalling before installing the latest version.

Copy the JSON file to a specified folder

1. Find the config.json file that you downloaded in step 5 of the Web Admin Configuration section of this document.

NOTE: You may have already performed this step if you changed the user's access level in the Set end user access level section above.

2. Copy that file to a specified folder on the target machine.

Download the Login for Mac ZIP file to the specified folder

1. Download the Login for Mac .zip file to the target machine.

2. Unzip this file which contains the SecureAuthLogin-1.x.pkg and SecureAuthLogin-1.x-Uninstaller.pkg files.

3. Copy these files to the same folder as the config.json file on the target machine.

Run the Login for Mac installer package

1. Double-click SecureAuthLogin-1.x.pkg to start the installation wizard for the application.

2. Log Out of the target machine.

NOTE: After this installation, SecureAuth Login for Mac appears on the next login session.

Uninstallation 

On the target machine, run the Login for Mac uninstaller package: 

  • Double-click SecureAuthLogin-1.x-Uninstaller.pkg to start the uninstall wizard for the application, and then follow the instructions on screen.



End user login experience

IMPORTANT

  • The enterprise WiFi connection must be disabled on the Mac to log on to the domain. A public WiFi connection or a wired connection can be used for Internet access.
  • If you are included in a bypass group, you will need to wait for the network group to be fully connected before logging on.

First-time login experience

1. Enter your domain username and password on the Mac login screen.

The first time end users log in, Login for Mac shows only OATH-based methods (for example, TOTP, HOTP YubiKey), if at least one method is available to end users. If at least one OATH-based method is not available to end users, they can use any other available method. This could be a method that uses the SecureAuth Authenticate App on your mobile device or another device provisioned with the SecureAuth IdP realm to supply timed passcodes, such as an HOTP YubiKey.

If end users need to login when their machine is offline, they must choose an OATH-based method during the first login. After end users select a timed authentication option and enter their password, TOTP and HOTP passcode options will be available for them to use when logging on the machine offline. 

The window pictured above appears only the first time you use Login for Mac.

End users with more than one mobile phone or YubiKey provisioned can select which device or token to use when online. When logging on the machine offline, any OATH-based method that was used online will be available for use.

If you do not have an authentication method that provides an OATH-based method, then select any other option available to you.

Optionally, check the Remember my selection box if you want to use this same authentication method the next time you log on the Mac.

2. Enter the passcode that appears on the device, and then click Submit.

After successfully logging on the Mac using a timed passcode, timed passcodes from that device can be used for login access when offline, i.e., when the Mac is not connected to the Internet.

3. Log out of the Mac.

4. Log back on the Mac, and select an authentication option from the list of multi-factor authentication methods for which you have previously enrolled.

If your list of available authentication options is lengthy, you may need to scroll down the list if the option you want does not appear on the main page.

5. Optionally, check the Remember my selection box if you want to use this same authentication method the next time you log on the Mac.

6. Click Submit to access the Mac on the network.

No matter which option you choose, you can return to this selection window by clicking the link: I want to choose a different two-factor authentication method.

Authentication method workflows are described in the following sections.

SecureAuth Authenticate Mobile App options

The methods in this section are delivered via push notification and require the use of the SecureAuth Authenticate App.

Enter timed passcode from app

This method and "Enter passcode from YubiKey" are displayed at first login, if available. If not available, all available methods are displayed.

When selecting this option, the Enter Passcode window appears.

1. Enter the OATH OTP from your SecureAuth OTP App.

2. Click Submit to log on the Mac.

Receive passcode from notification

When selecting this option, the Enter Passcode window appears.

1. Enter the passcode that was sent to the SecureAuth Authenticate App on your mobile device.

2. Click Submit to log on the Mac.

Approve login notification for fingerprint recognition

When selecting this option, the Waiting for Your Approval window appears.

1. Accept the login notification sent to the SecureAuth Authenticate App on your mobile device to log on the Mac.

Approve login notification for face recognition

This option is available for iOS only. When selecting this option, the Waiting for Your Approval window appears.

1. Accept the login notification sent to the SecureAuth Authenticate App on your mobile device to log on the Mac.

Approve login notification for Symbol-to-Accept

When selecting this option, the Waiting for Your Approval window appears.

1. Receive the set of 4 symbols sent to the Authenticate mobile app on your mobile device.

2. One symbol will display on your Mac desktop or laptop.

3. On the Authenticate mobile app, tap the symbol that matches the one displayed on your desktop or laptop. You are then logged on the Mac.

SMS / Text Message

Receive passcode

When selecting this option, the Enter Passcode window appears.

1. Enter the passcode sent via SMS to your mobile phone.

2. Click Submit to log on the Mac.

Email

Receive passcode

When selecting this option, the Enter Passcode window appears.

1. Enter the passcode sent to your email address.

2. Click Submit to log on the Mac.

Voice Call

Receive passcode

When selecting this option, the Enter Passcode window appears.

1. Enter the passcode received from the phone call.

2. Click Submit to log on the Mac.

Additional methods

Contact the help desk

When selecting this option, the Enter Passcode window appears. (The phone number in the image below is an example only.)

1. If more than one phone number displays for the help desk, select the phone number to use for contacting the help desk.

2. Input the passcode supplied by the help desk.

3. Click Submit to log on the Mac.

Enter passcode from token

This method and "Enter timed passcode from app" are displayed at first login, if available. If not available, all available methods are displayed.

When selecting this option, the Enter Passcode window appears.

1. With the YubiKey HOTP device inserted in the machine, tap or press the device to populate the passcode in the field.

2. Click Submit to log on the Mac.

Enter passcode from YubiKey (Yubico OTP protocol)

When selecting this option, the Enter Passcode window appears.

1. With the YubiKey OTP device (Yubico OTP protocol) inserted in the machine, tap or press the device to populate the passcode in the field.

2. Click Submit to log on the Mac.

Enter passcode from YubiKey

When selecting this option, the Enter Passcode window appears.

1. With the YubiKey OATH-TOTP device inserted in the machine, tap or press the device to populate the passcode in the field.

2. Click Submit to log on the Mac.

Enter answers to Security Questions

When selecting this option, the Answer Security Questions window appears.

1. Answer both questions with your predefined answers. You must answer both questions.

2. Click Submit to log on the Mac.



Release notes 

New features and enhancements

Version: 19.10
Release Date: November 12, 2019
Compatibility: SecureAuth IdP v9.2.x  and later, and the SecureAuth® Identity Platform v19.07 and later

Biometric fingerprint and face (iOS only) recognition through SecureAuth Authenticate mobile app and Symbol-to-Accept are compatible with SecureAuth Identity Platform v19.07 or later.

CP-487Login for Mac supports the group bypass feature.
CP-489Admins can set up Security Questions so users can authenticate by answering knowledge-based questions (KBQ).
CP-533Login for Mac supports failover for up to five backup IdP instances.
CP-615Login for Mac supports YubiKey HOTP version 5.0.
CP-643A new "store_seeds" key in the config.json file is set to true by default; Login for Mac will store OATH seeds, which allows end users to log in when offline.
CP-658End users can authenticate into Login for Mac with an enrolled fingerprint or face as a second factor by using the SecureAuth Authenticate mobile app.
CP-706

If upgrading Login for Mac to version 19.10, admins do not need to uninstall the current version before installing version 19.10.

CP-717Login for Mac supports YubiKey in Yubico protocol One-time Passcode mode for end users.
CP-734Login for Mac supports end users authenticating by using Symbol-to-Accept as a second factor. End users must use the Authenticate mobile app to receive symbols. 

Resolved issues 

CP-688Updated http_client_certificates.cpp file uses OS certificates to validate Secure Sockets Layer (SSL) certificates.
CP-697Login for Mac installation completes with correct conf_version value.
CP-713Log file is generated for Login for Mac.
CP-744Login for Mac supports proxy authentication with a proxy username and password on the proxy_url.
CP-778

If you use private keys with PAM, when end users attempt to access the remote server by using Secure Socket Shell (SSH), the PAM product is prompted correctly.

CP-788When end users connect to Login for Mac, they can authenticate with any second-factor authentication method using Pluggable Authentication Module.
Version 1.0.3 - Release Date: September 17, 2018

New features

CP-230Adaptive Authentication can now be used with Login for Mac.
CP-459A warning message now appears to end users if the 'allow_self_signed' flag is enabled in config.json.
CP-460Login for Mac supports the Privileged Access Management (PAM) product.

Enhancements

CP-358The Two-Factor Authentication Method screen now informs a user that more options are available, if not all options currently appear on the screen.
CP-452The Login for Mac first login experience now matches the first-time login experience for Login for Mac users.

Known issues

CP-288Login for Mac performance degradation when loading the login screen in the offline mode on High Sierra.
CP-303Login for Mac becomes unsynchronized with SecureAuth IdP and shows an empty screen after Mac comes out of sleep mode.
CP-346Bypass groups are only enforced when a system is online and can check group membership.
CP-386SMS / Voice telephone numbers are not completely masked for registered multi-factor authentication methods.
Version 1.0.2 - Release Date: June 13, 2018

Resolved issues and enhancements

CP-309Login for Mac .pkg files have been renamed for consistency with Login for Mac .msi file names.
CP-317Login for Mac now validates the configuration file correctly.
CP-327The initial multi-factor authentication method window now shows a selected option.
CP-359The installation failure log (Command+L) now identifies a missing configuration file.
CP-379Log details have been added to help troubleshoot common installation errors.
CP-398The installer error message for a missing configuration file has been revised for clarification.
CP-390Users are no longer locked out on Sierra 10.12.x machines with a FileVault encrypted drive.
CP-392Device names receiving push requests now appear on Login for Mac waiting screens.

Known issues

CP-346Bypass groups are only enforced when a system is online and can check group membership.
CP-386SMS / Voice telephone numbers are not completely masked for registered multi-factor authentication methods.
Version 1.0.1 - Release Date: May 14, 2018

Known issues

  • Login failure for users with a space in sAMAccountName

The issue for users who are unable to log in if a space exists in their sAMAccountName property cannot be resolved because macOS does not support using spaces in login names.

  • Critical issue with FileVault on Sierra

Do not install Login for Mac 1.0 on MacOS 'Sierra' (10.12.x) in a domain-joined system that uses FileVault encryption on the boot volume; this may render the system unbootable and require recovery.

  • SMS and Voice numbers are not correctly masked

Users prompted for multi-factor authentication can view the full telephone number for a registered multi-factor authentication method.

  • Additional Authentication methods may be hidden

Since many MacOS configurations do not display a scrollbar, users who are prompted to select an authentication method may not know there are additional methods available to them if they do not see them on the screen currently displayed.

  • Multi-Factor Authentication only prompts users at login

Login for Mac does not currently support prompting users for additional factors when unlocking the screen of an already logged-in user.

  • Offline login may not complete

Users attempting to login offline for a second time using a TOTP code (after logging on and logging off) may have their machine after entering the code.

  • Login for Mac will install on unsupported MacOS versions

Login for Mac is only supported and tested on MacOS versions 10.12.x (Sierra) and 10.13.x (High Sierra), but currently the installer allows installation to proceed on versions 10.10.x and 10.11.x.


Version 1.0 - Release Date: February 1, 2018

The new Login for Mac product gives end users a secure login experience on a Mac workstation using a SecureAuth multi-factor authentication method. This product, with FIPS 140-2 compliant cryptographic libraries, is newly designed and engineered and replaces the Credential Provider application. After the initial setup and first-time usage, the end user subsequently logs on without a password by just using a two-factor authentication method. 



Related documentation

YubiKey HOTP Device Provisioning and Multi-Factor Authentication Guide

SecureAuth Credential Provider Configuration Guide

Login for Mac configuration guide v1.0.3

Login for Windows v19.09 configuration guide

  • No labels