We currently use Okta SSO with Jamf Pro. Filevault is turned on for all our devices, which requires the initial local login. Then the next login is network credentials with SSO. Meaning, our users have to login twice. This works well, however we recently purchased Okta Device Access with the understanding that we could eliminate all logins for a passwordless user experience. I've been researching the ODA setup using Okta as a SCEP auth. I've read this would require all devices to be re-enrolled? Has anyone gotten this to work with Jamf Pro to be passwordless? I've love to hear your experiences. Thanks!
Solved
Okta Device Access - Passwordless
+3Best answer by AJPinto
Yes, looking for passwordless on the Mac itself via Okta Device Access. Need to know if it's possible, if so, best way to configure it. I'm getting conflicting information. Some say Passwordless on MacOS is impossible, but Okta says it's possible. Need some direction, as I need to get a POC spun up soon. Thanks
macOS 15 doesn’t support true passwordless accounts. You can mimic passwordless behavior at the login window, but the account still has a password underneath, this is required for things like SecureToken and FileVault.
Your best bet is to reach out to Okta for step-by-step documentation. You’ll likely need to deploy something like Okta Verify and a set of configuration profiles to enable the integration. There will probably be a user-driven registration flow, which may feel like an enrollment but is handled entirely on the Okta side.
+26Are you looking at Jamf Pro to be passwordless or macOS to be passwordless? I'm assuming you are intending macOS.
MacOS 15 does support Smart Card Authentication, but a password still exists for the account. I don’t see why a device would need to be re-enrolled so long as it was originally enrolled with Automated Device Enrollment. MacOS 26 has some newness with authentication, but that is still in early beta.
+3Yes, looking for passwordless on the Mac itself via Okta Device Access. Need to know if it's possible, if so, best way to configure it. I'm getting conflicting information. Some say Passwordless on MacOS is impossible, but Okta says it's possible. Need some direction, as I need to get a POC spun up soon. Thanks
+26Yes, looking for passwordless on the Mac itself via Okta Device Access. Need to know if it's possible, if so, best way to configure it. I'm getting conflicting information. Some say Passwordless on MacOS is impossible, but Okta says it's possible. Need some direction, as I need to get a POC spun up soon. Thanks
macOS 15 doesn’t support true passwordless accounts. You can mimic passwordless behavior at the login window, but the account still has a password underneath, this is required for things like SecureToken and FileVault.
Your best bet is to reach out to Okta for step-by-step documentation. You’ll likely need to deploy something like Okta Verify and a set of configuration profiles to enable the integration. There will probably be a user-driven registration flow, which may feel like an enrollment but is handled entirely on the Okta side.
+12These are some great talks about Platform SSO and how each IdP integrates its solution into macOS. But @AJPinto is correct. All Platform SSO solutions for macOS 13-15 require a PW to unlock filevault. Similar to how an iPhone requires a passcode after restart.
https://www.youtube.com/watch?v=uAjyZyHHJXc&t=1512s
https://www.youtube.com/watch?v=mkro_6BzOiY&t=332s
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.