• Home
• App Integrations
• MFA Integrations
• Two-Factor Authentication (2FA/MFA) for MacOS

With the pace of password-based security breaches, simply using usernames and passwords to secure a MacOS is no longer an option. That’s why it has become necessary to add an additional layer of two-factor authentication security to filter out unauthorized users.

miniOrange's MacOS MFA prevents these sorts of Password-Based breaches and adds an additional layer of security. As the MacOS 2FA / MFA feature is enabled, users have to authenticate themselves in two successive stages to access their Mac machines. The first level of authentication happens using their usual Mac credentials. For the second level of authentication, admins can choose from the wide range of 15+ MFA authentication methods that miniOrange offers.

miniOrange 2FA Credential Provider for MacOS access supports following Multi-Factor Authentication (2FA/MFA) Methods:-

Authentication Type	Method	Supported
miniOrange Authenticator	Soft Token
	miniOrange Push Notification
Mobile Token	Google Authenticator
	Microsoft Authenticator
	Authy Authenticator
SMS	OTP Over SMS
	SMS with Link
Email	OTP Over Email
	Email with Link
Call Verification	OTP Over Call
Hardware Token	YubiKey Hardware Token
	Display Hardware Token

Prerequisites for MacOS MFA

• miniOrange Cloud Account or Onpremise Setup.
• Enroll Users in miniOrange before Configuration:
1. The username of the user in miniOrange should be the same as in MacOS Username.
2. This is required so that the service can prompt the appropriate 2FA for the customer based on the defined policy and provide secure access to machine.
3. There are multiple methods to add users in miniOrange.
   1. Admin can add end users
   2. Setup user provisioning from your existing identity source or Active directory.

Step by step guide to setup Multi-Factor Authentication (2FA/MFA) for MacOS Logon

1. Setup your miniOrange dashboard for MacOS 2FA

In this step, we are going to setup your Two-Factor Authentication (2FA) preferences, such as:

• Which users should be asked for 2FA during MacOS logon.
• What 2FA methods can they use.

1.1 Adding app and policy for 2FA

• Login into miniOrange Admin Console.
• Go to Apps and click on Add Application button.



• In Choose Application Type click on Desktop application type.



• Add macOS app on miniOrange.



• Add App Name.



• Select Login Method as Password and Enable 2-Factor Authentication (2FA).



• Click on Save.

1.2 Choose which 2FA options the users can use

• Go to 2-Factor Authentication >> Choose 2FA Options for End User



• Disable the methods you don’t want your users to configure or use for MFA

2. Setup miniOrange Two-Factor Authentication (2FA/MFA) Provider for MacOS

• Download the module from here.
• Extract the macOSMFA.zip folder and unzip it. Afterward, navigate to the macOSMFA directory via terminal.
• Give the execute permissions to the script via running this command in the terminal:
chmod +x installer_config.sh




• Run below command to generate configured installer:
./installer_config.sh




• You will be asked for some configuration details. To fill in these details, login to your miniOrange admin account on Cloud or On Premise.
• Click on the Settings icon on top right corner.



• Copy the Customer Key and API key.



• Now, Go to Apps and copy the name of the macOS application created in Step 1.




Allow user to login if user is not present in miniOrange	true	If user is not present in miniOrange he/she can login without MFA
	false	If user is not present in miniOrange, he/she can’t login
Allow user to login if Policy is not configured for User	true	If user is not present in Policy group he/she can login without MFA
	false	If user is not present in Policy group he/she can’t login
Allow user to login without password	true	If true, users can log in using only MFA. No password will be required.
	false	if set to false, users must enter both password and MFA.
Remember User's login and skip MFA in subsequent logins	true	If true, users can skip MFA on the same device within the set time window.
	false	If set to false, users will be required to enter MFA on every login.
Remember MFA Timeout (in minutes)	5 or 10 or any	Duration for which MFA is skipped after a successful verification, if "Remember login" is enabled.

• Paste the values of Customer key, API Key, App name and the values from table above in the terminal and press enter.



• A new installer should be generated with the name macOSMFAConfigured.pkg. Use this pkg to install MFA on macOS machines.

3. Configure MFA on Staff Machines

• Transfer the macOSMFAConfigured.pkg to the machines where you intend to set up MFA.
• Open terminal and run command:
  xattr -dr com.apple.quarantine /path/to/macOSMFAConfigured.pkg
• Run the installer.

4. Test the Multi-factor Solution

• Logout from the machine. You should see the screen below.



• When you click on your username, it will ask for the password. Fill your password and press Enter.



• After entering the password it will prompt you for 2nd factor authentication.



• After 2FA verification is successful, you will be logged in.

5. Uninstall the Multi-factor Solution

• To remove MFA from your system run macOSMFAUninstaller.pkg from the downloaded folder and logout from the machine.

External References

• Enable secure access using Remote desktop services (RDS) Two-factor authentication (2FA/MFA)
  
• Setup Linux MFA for desktop and SSH access
  
• Enable MFA for MAC
• MFA for VPN and network devices
  
• MFA for Jamf Connect