Posted on 10-28-2020 07:19 AM
I am looking for a way to enable 2 Factor authentication on currently deployed Macs in my environment.
We are a Google OIDC shop and I have been playing with Jamf Connect.
A few issues I am trying to get around are bypassing the new account creation process (as people already have accounts full of customizations they are loathe to loose) and the quagmire of password synchronization.
Any thoughts, recommendations, etc... to activate 2 Factor on existing users with our without using Jamf Connect?
Side Note - I have tried Connect against a test Azure AD and Connect does what I need it to do, but I am being tasked to replicate the process against Google OIDC.
Posted on 11-01-2020 09:26 PM
I did a lot of exploration and research on this topic. Yubikeys were high on my list, but their Mac login software broke with some changes Apple made (and it hasn't been updated since). I tested out a solution called Saaspass. I do not recommend that. We were locked out of our machines and had to wipe them. Duo is probably the most mature and best supported option. I was unable to go with it for compliance reasons. On Macs, Duo would only run when you login to the computer. So if the computer goes to sleep, the MFA won't be triggered, the user would just have to enter their password (maybe that's okay for you). We also didn't like that there was no offline access. If you didn't have internet access, you couldn't get into the machine.
Posted on 11-02-2020 11:21 PM
Why don‘t you use the internal SmartCard Settings? We‘re running the macOS SmartCard-Option with Yubikeys as SmartCards (the Yubico-Software is only used to set the SmartCard-Secret (PIN)). Works quiet well for us.