Skip to main content
Question

Multi Factor Authentication - Mac Login

L
Forum|alt.badge.img+6

Hello all,

Would just like to open up a conversation, to see what people are doing around Multi Factor/2 Factor Authentication.

I've been tasked with securing all our Mac logins with 2FA. I've had mixed degree's of success, using both SecureAuth and Yubikeys.

We FileVault our Mac's, so use with any 2FA is difficult without disabling the automatic FV login, which in my opinion becomes a poor user experience.

We also want to be able to use the 2FA for unlocking the lock screen/waking up from sleep which doesn't work with SecureAuth and their SMS/Push Notification 2FA.

I have had success with Yubikeys having to be plugged in, so that a user can login, wake from sleep and unlock the Mac. These do seem difficult to deploy on a large scale. This is looking like our only alternative.

Was hoping to find a way to use both Touch ID on ours Mac's and the users password, this tho doesn't seem possible at the moment.

Our other option is conditional access on applications on the Mac's, ideally we would prefer to secure all Mac logins with 2FA.

Is anyone else doing anything around MFA and Mac's logins? I've seen Duo, which looks good, assuming tho that this would only work at login too and not with unlocking and waking the Mac from sleep.

    7 replies

    M
    Forum|alt.badge.img+7
    • mack525
    • Contributor
    • 91 replies
    • October 30, 2018

    I am curious to hear what others are doing in regards to this as well.

    L
    1 person likes this
    • L
      leeskade
    R
    Forum|alt.badge.img+18
    • rderewianko
    • Honored Contributor
    • 486 replies
    • October 30, 2018

    This sounds like a great case for saml and jamf connect ;)

    C
    1 person likes this
    • C
      cstout
    L
    Forum|alt.badge.img+6
    • leeskade
    • Author
    • Contributor
    • 14 replies
    • October 30, 2018

    I have started introducing NoMad Login (now Jamf connect woop!).. After a successful deploy of NoMad, would be great if I could integrated this with MFA and SSO!

    Is anyone currently managing their Mac's in this way?

    mvu
    Forum|alt.badge.img+20
    • mvu
    • Jamf Heroes
    • 909 replies
    • October 31, 2018

    For the Yubikey, how are you rolling out that set up? Is your Mac fleet on 10.13 or higher? Are your accounts local or AD bound?

    H
    Forum|alt.badge.img+7
    • hulsebus
    • Contributor
    • 25 replies
    • October 31, 2018

    We have deployed Duo in our environment (10.11 - 10.13) and you are correct, it does not currently work without unlock, just login (and ssh if you configure it). We've been told unlock is being worked on, but have no ETA when it will be in our hands. I have configured Yubikey on a test machine and gotten to work with AD accounts, but we ended up going a different direction. Smartcards with AD accounts are on my wishlist but I'm not holding my breath.

    We have Filevault deployed to the vast majority of machines, but are not allowed use any sort of auto login capability.

    L
    Forum|alt.badge.img+6
    • leeskade
    • Author
    • Contributor
    • 14 replies
    • November 5, 2018

    @mvu All machines are 10.13 or higher yes, I'm looking to rolling these out using the PAM method. So that a Yubikey has to be plugged into the Mac for it to login, following the procedure in this link:

    https://support.yubico.com/support/solutions/articles/15000015045-macos-logon-tool-configuration-guide

    Try to make this deployable through self-service, so that we can just plug in the Yubikeys then run a policy to link it to the Mac. Not had any joy yet, was trying to package up the ykpamcfg -2 as a command and package up the edited /etc/pam.d/screensaver

    D
    Forum|alt.badge.img
    • DrHWSIII
    • New Contributor
    • 1 reply
    • January 31, 2025

    This request was a while ago. Did you come up with a solution to MFA on locking from sleep?  I am using Jamf Connect to provide MFA using a TraitWare OIDC application. Have it workin for. logins. from cold start with and without. Filevault on.  FileVault off requires user to authenticate with the TraitWare app by scanning a QR and entering their local password with FileVault on the process requires a local password being enter then scanning a Qr  with the TraitWare  app and then entering their password again. Working to eliminate the second password requirement.  Login in after using the Apple log out mode requires only the scan and password entry.  Waking from sleep requires only  a password entry.   I would like to require only the TW scan verification but at the least be able to configure to require the TraitWare MFA process and then password,  Any suggestions?

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings