Help

Allow Ethernet adapters

erichughes
Contributor II

3 weeks ago

We recently implemented Okta Verify for our desktop MFA logins. Which works good most of the time but does require an active network connection most of the time to function correctly. Our office WiFI is radius authenticated, so it won't connect at the Mac login window. We do have ethernet at desks, but the network USB-C network adapters don't always connect at the login window either. Once a user is logged in the adapter gets authorized and will connect. So if there is no network connection, Okta verify wants you to use a off-line device access code to log into the machine, and if a use hasn't restarted or logged out in more than five days that factor is disabled, thus requiring an admin to login get the network adapter activated and then log out and let the user log in again and get a push verification factor, and then they are in.  Here is the question.... How do I allow network adapters to activate at the login window, always? I understand that not allowing without a user login is the secure thing, but sometimes it needs to happen. We have thought about adding another hardware verified WiFi that will auto connect at the login window but that seems a bit cumbersome. Thoughts, ideas, solutions appreciated.

0 Kudos
3 REPLIES 3

AJPinto
Honored Contributor II

3 weeks ago - last edited 3 weeks ago

Its a function called USB Restricted Mode, and can be managed with MDM. 

Manage Mac computers

Accessory security (known as Restricted Mode) for macOS is designed to protect customers from close-access attacks with wired accessories. For Mac laptop computers with Apple silicon using macOS 13 or later, the default configuration is to ask the user to allow new accessories. The user has four options in System Settings for allowing accessories to connect:

  • Ask every time

  • Ask for new accessories

  • Automatically when unlocked

  • Always

If a user attaches an unknown accessory (Thunderbolt, USB or — in macOS 13.3 or later — SD Extended Capacity “SDXC” cards) to a locked Mac, they’re prompted to unlock the Mac. Approved accessories can be connected to a locked Mac for up to 3 days from when the Mac was last locked. Any accessory attached after 3 days prompts the user to “Unlock to use accessories”.

Bypassing user authorisation might be required for some environments. MDM solutions can control this behaviour by using the existing allowUSBRestrictedMode restriction to always allow accessories.

Note: These connections don’t apply to power adapters, non-Thunderbolt displays, approved hubs, paired smart cards, or to a Mac that’s in Setup Assistant or that was started from recoveryOS.


Manage accessory access to Apple devices - Apple Support (IN)

 

This configuration will disable the USB Restricted Mode in the event you need to disable it due to using "non-approved accessories".

AJPinto_2-1717513511595.png

 

 

 

Preference Domain: com.apple.applicationaccess

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>allowUSBRestrictedMode</key>
    <false/>
  </dict>
</plist>

 

 

 

 

0 Kudos

BrandanW42
New Contributor
In response to AJPinto

3 weeks ago

We have this same problem and do have a configuration profile deployed as you have shown in your example. However, this doesn’t seem to work for us as we aren’t able to get an Ethernet connection via usb-c dongles at the login screen until someone logs in (like a local admin)

0 Kudos

sdagley
Esteemed Contributor II

3 weeks ago

@erichughes Do you have FileVault enabled? If not, and you can use machine authorization for 802.1x instead of user authorization, you could deploy a Configuration Profile at the Computer level with a Network payload set to Any Ethernet as the Network Interface so the Mac has an active network connection at the login window.

0 Kudos