Setup Two-Factor Authentication (2FA/MFA) for MacOS

With the pace of password-based security breaches, simply using usernames and passwords to secure a MacOS is no longer an option. That’s why it has become necessary to add an additional layer of two-factor authentication security to filter out unauthorized users.

miniOrange's MacOS MFA prevents these sorts of Password-Based breaches and adds an additional layer of security. As the MacOS 2FA / MFA feature is enabled, users have to authenticate themselves in two successive stages to access their Mac machines. The first level of authentication happens using their usual Mac credentials. For the second level of authentication, admins can choose from the wide range of 15+ MFA authentication methods that miniOrange offers.

miniOrange 2FA Credential Provider for MacOS access supports following Multi-Factor Authentication (2FA/MFA) Methods:-

Authentication Type	Method	Supported
miniOrange Authenticator	Soft Token
miniOrange Authenticator	miniOrange Push Notification
Mobile Token	Google Authenticator
	Microsoft Authenticator
	Authy Authenticator
SMS	OTP Over SMS
SMS	SMS with Link
Email	OTP Over Email
Email	Email with Link
Call Verification	OTP Over Call
Hardware Token	YubiKey Hardware Token
Hardware Token	Display Hardware Token

Get Free Installation Help - Book a Slot

miniOrange offers free help through a consultation call with our System Engineers to Install or Setup Multi-Factor Authentication (2FA) for MacOS Logon in your environment with 30 days trial.

For this, you need to just send us an email at idpsupport@xecurify.com to book a slot and we'll help you setting it up in no time.

Prerequisites for MacOS MFA

miniOrange Cloud Account or Onpremise Setup.
Enroll Users in miniOrange before Configuration:

The username of the user in miniOrange should be the same as in MacOS Username.
This is required so that the service can prompt the appropriate 2FA for the customer based on the defined policy and provide secure access to machine.
There are multiple methods to add users in miniOrange.
- Admin can add end users
- Setup user provisioning from your existing identity source or Active directory.

Step by step guide to setup Multi-Factor Authentication (2FA/MFA) for MacOS Logon

Normal Login
Web Login (OAuth)

1. Setup your miniOrange dashboard for MacOS 2FA

In this step, we are going to setup your Two-Factor Authentication (2FA) preferences, such as:

Which users should be asked for 2FA during MacOS logon.
What 2FA methods can they use.

1.1 Adding app and policy for 2FA

Login into miniOrange Admin Console.
Go to Apps and click on Add Application button.

MacOS Multi-Factor Authentication 2FA/MFA

Select Desktop from All Apps dropdown.

Search for macOS in the list, if you don't find macOS in the list then, search for API Desktop and you can set up your application via API Desktop.

In the Basic tab, enter the following details:

Basic Tabs	Description
Display Name	Enter the Display Name (i.e., the name for this application).
Description (Optional)	Add a description if required.
App Secret	You can find App Secret by clicking the icon as shown below.

Click on Save to continue. You will be automatically redirected to the Policies section.

Click on the Assign group button. A new Configure Group Assignment Modal will open.
- Assign Group: Select the groups you want to link with the application. You can select up to 20 groups at a time.
- If you need to create new group. Click on Add New Group button.
- Enter the Group name and click on Create Group.
- Click on Next.
- Assign Policies: Add the required policies to the selected groups. Enter the following details:
- First Factor: Select the login method from the dropdown.

miniOrange Dashboard: Under the Add Login Policy, provide the details

Click on Save. Policies will be created for all the selected groups.
Once submitted, the newly added policy will appear in the list.

MacOS Desktop Policy was successfully added

1. Configure OAuth App for macOS MFA:

Click on Apps. It shows a list of all configured applications and option to modify them. Click on Add Application.

miniOrange Identity Platform Admin Handbook: Add Application

Under Choose Application, select OAuth/OpenID from the All Apps dropdown.

miniOrange Identity Platform Admin Handbook: OAuth App type

Search for your application from the list, if your application is not found. Search for oauth and you can set up your app via OAuth2/OpenID Connect.

miniOrange Identity Platform Admin Handbook: Search OAuth custom app

In the Basic tab, enter the following details:

Display Name	Enter the Display Name (i.e., the name for this application).
Redirect URL	Enter the Redirect URL: com.miniorange.mfa://oauth/callback
Client ID	Auto-generated. Click the copy icon to use it in your application.
Client Secret	Client Secret is hidden by default. Click the eye icon to reveal it and use the clipboard icon to copy it.
Description (Optional)	Add a description if required.
Upload App Logo (Optional)	Upload an app logo (Optional). The app will be shown in the end-user dashboard with the logo that you configure here.

Click on Save.

miniOrange Identity Platform Admin Handbook: OAuth app details

You will be redirected to the Policies section.

miniOrange Identity Platform Admin Handbook: Go to Policies and Add Policy

Click on the Assign group button. A new Configure Group Assignment Modal tab will open.
- Assign Group: Select the groups you want to link with the application. You can select up to 20 groups at a time.
- If you need to create new group. Click on Add New Group button.
- Enter the Group name and click on Create Group.
- Click on Next.
- Assign Policies: Add the required policies to the selected groups. Enter the following details:
- First Factor: Select the login method from the dropdown.
- Select Password-less as login method (IMPORTANT)

miniOrange Identity Platform Admin Handbook: Under the Add Login Policy, provide the details

Click on Save. Policies will be created for all the selected groups.
You will see the policy listed once it’s successfully added.

miniOrange Identity Platform Admin Handbook: Policy was successfully added

2. Setup miniOrange Two-Factor Authentication (2FA/MFA) Provider for MacOS

Download the module from here.
Extract the macOSMFA.zip folder and unzip it. Afterward, navigate to the macOSMFA directory via terminal.
Give the execute permissions to the script via running this command in the terminal:

chmod +x installer_config.sh

Run below command to generate configured installer:

./installer_config.sh

You will be asked for some configuration details. To fill in these details, login to your miniOrange admin account on Cloud or On Premise.
Click on the Settings icon on top right corner.

Copy the Customer Key and API key.

Now, Go to Apps and copy the name of the macOS application created in Step 1.

Condition	Value	Description
Allow user to login if user is not present in miniOrange	true	If user is not present in miniOrange he/she can login without MFA
	false	If user is not present in miniOrange, he/she can’t login
Allow user to login if Policy is not configured for User	true	If user is not present in Policy group he/she can login without MFA
	false	If user is not present in Policy group he/she can’t login
Allow user to login without password	true	If true, users can log in using only MFA. No password will be required.
Allow user to login without password	false	if set to false, users must enter both password and MFA.
Remember User's login and skip MFA in subsequent logins	true	If true, users can skip MFA on the same device within the set time window.
Remember User's login and skip MFA in subsequent logins	false	If set to false, users will be required to enter MFA on every login.
Remember MFA Timeout (in minutes)	5 or 10 or any	Duration for which MFA is skipped after a successful verification, if "Remember login" is enabled.
Enter OAuth Authentication as secound factor	true	If set to true, OAuth authentication is enabled as a second factor.
Enter OAuth Authentication as secound factor	false	If left blank or set to false, OAuth will not be used as a second factor.
Enter OAuth Authentication URL	URL	The authorization endpoint URL of the OAuth Identity Provider used for authentication.
Enter OAuth Client ID	Client Id	The unique Client ID issued by the OAuth provider to identify the application.
Enter OAuth Client Secret	Client Secret	The secret key associated with the OAuth Client ID, used to authenticate the application securely.

Note:

Initially, make the values of Allow user to login if user is not present in miniOrange and Allow user to login if Policy is not configured for User as true so that you don't get locked out of the Mac machine during the testing.

Paste the values of Customer key, API Key, App name and the values from table above in the terminal and press enter.

A new installer should be generated with the name macOSMFAConfigured.pkg. Use this pkg to install MFA on macOS machines.

For OAuth Configuration Values:

Click on Action three dots of the OAuth application created and click on OAuth Endpoints.

Copy the first URL (highlight the first url in the screenshot given and same for the client id and client secret in the below screenshot) and paste it in the Enter OAuth Authorization URL field.
Similarly, go to Basic tab and paste client id and client secret.

3. Configure MFA on Staff Machines

Transfer the macOSMFAConfigured.pkg to the machines where you intend to set up MFA.
Open terminal and run command:
xattr -dr com.apple.quarantine /path/to/macOSMFAConfigured.pkg
Run the installer.

4. Test the Multi-factor Solution

Logout from the machine. You should see the screen below.
When you click on your username, it will ask for the password. Fill your password and press Enter.

After entering the password it will prompt you for 2nd factor authentication.

After 2FA verification is successful, you will be logged in.

5. Uninstall the Multi-factor Solution

To remove MFA from your system run macOSMFAUninstaller.pkg from the downloaded folder and logout from the machine.

Frequently Asked Questions (FAQs)

Why is my OTP being rejected even though I entered the correct code from my Google/Microsoft Authenticator?

This error is usually caused by a time mismatch between the miniOrange server and your mobile device (or a mismatch between your machine time and mobile device time in the case of Offline Authentication for Windows/Linux/Mac).

Security tokens generated by Authenticator apps are "Time-based" (TOTP). They are valid only for a specific 30–60 second window. If the system time on your phone running the Authenticator or your machine(in case of offline authentication) is fast or slow by even 2 minutes, the code will be considered expired by the server/machine.

Contents

Setup Two-Factor Authentication (2FA/MFA) for MacOS

Get Free Installation Help - Book a Slot

Prerequisites for MacOS MFA

Step by step guide to setup Multi-Factor Authentication (2FA/MFA) for MacOS Logon

2. Setup miniOrange Two-Factor Authentication (2FA/MFA) Provider for MacOS

Note:

3. Configure MFA on Staff Machines

4. Test the Multi-factor Solution

5. Uninstall the Multi-factor Solution

Frequently Asked Questions (FAQs)

Why is my OTP being rejected even though I entered the correct code from my Google/Microsoft Authenticator?

External References

Want To Schedule A Demo?

Our Other Identity & Access Management Products

Single Sign-On

Multi-factor Authentication

Adaptive Authentication

Lifecycle Management