Multi Factor Authentication - Mac Login

New Contributor III

Hello all,

Would just like to open up a conversation, to see what people are doing around Multi Factor/2 Factor Authentication.

I've been tasked with securing all our Mac logins with 2FA. I've had mixed degree's of success, using both SecureAuth and Yubikeys.

We FileVault our Mac's, so use with any 2FA is difficult without disabling the automatic FV login, which in my opinion becomes a poor user experience.

We also want to be able to use the 2FA for unlocking the lock screen/waking up from sleep which doesn't work with SecureAuth and their SMS/Push Notification 2FA.

I have had success with Yubikeys having to be plugged in, so that a user can login, wake from sleep and unlock the Mac. These do seem difficult to deploy on a large scale. This is looking like our only alternative.

Was hoping to find a way to use both Touch ID on ours Mac's and the users password, this tho doesn't seem possible at the moment.

Our other option is conditional access on applications on the Mac's, ideally we would prefer to secure all Mac logins with 2FA.

Is anyone else doing anything around MFA and Mac's logins? I've seen Duo, which looks good, assuming tho that this would only work at login too and not with unlocking and waking the Mac from sleep.


Contributor II

I am curious to hear what others are doing in regards to this as well.

Valued Contributor II

This sounds like a great case for saml and jamf connect ;)

New Contributor III

I have started introducing NoMad Login (now Jamf connect woop!).. After a successful deploy of NoMad, would be great if I could integrated this with MFA and SSO!

Is anyone currently managing their Mac's in this way?

Valued Contributor II

For the Yubikey, how are you rolling out that set up? Is your Mac fleet on 10.13 or higher? Are your accounts local or AD bound?

New Contributor III

We have deployed Duo in our environment (10.11 - 10.13) and you are correct, it does not currently work without unlock, just login (and ssh if you configure it). We've been told unlock is being worked on, but have no ETA when it will be in our hands. I have configured Yubikey on a test machine and gotten to work with AD accounts, but we ended up going a different direction. Smartcards with AD accounts are on my wishlist but I'm not holding my breath.

We have Filevault deployed to the vast majority of machines, but are not allowed use any sort of auto login capability.

New Contributor III

@mvu All machines are 10.13 or higher yes, I'm looking to rolling these out using the PAM method. So that a Yubikey has to be plugged into the Mac for it to login, following the procedure in this link:

Try to make this deployable through self-service, so that we can just plug in the Yubikeys then run a policy to link it to the Mac. Not had any joy yet, was trying to package up the ykpamcfg -2 as a command and package up the edited /etc/pam.d/screensaver