How to set up MFA for macOS

How to set up MFA for macOS

When employees are required to manage multiple passwords, they often resort to reusing the same password across various applications or creating simple, easy-to-remember passwords that lack sufficient strength. This behavior significantly increases their vulnerability to attackers employing brute force or dictionary attacks to compromise accounts. ADSelfService Plus—a comprehensive identity security solution offering multi-factor authentication (MFA), single sign-on (SSO), and advanced password management capabilities—addresses this issue by enabling MFA for macOS logins.

MFA for macOS using ADSelfService Plus   

Systems running macOS can be configured to authenticate users using multiple factors before granting them access. A user's Active Directory (AD) credentials serve as the first factor, while additional factors can include:
  • Biometric authentication

  • YubiKey authentication

  • Google Authenticator

  • Microsoft Authenticator

  • Microsoft Entra ID MFA

  • Push notification authentication

  • Duo Security

  • TOTP authentication


Find the complete list of supported authenticators here.


Even if attackers manage to get a user's password, they are unlikely to be able to authenticate themselves through the user's email or phone.

Configuring MFA for macOS   

To enable MFA for macOS logins, administrators must deploy the login agent on each user's machine. Once deployed, users can authenticate securely and even reset their passwords directly from the Mac login screen.

Prerequisites  

  • Endpoint MFA: Your ADSelfService Plus license must include Endpoint MFA. Visit the store to purchase it.

  • SSL must be enabled: Log in to the ADSelfService Plus web console with admin credentials. Navigate to Admin > Product Settings > Connection > Connection Settings. Select the ADSelfService Plus Port [https] option. Refer to this guide to learn how to apply a SSL certificate and enable HTTPS.

Multi-factor authentication for macOS

  • Access URL must be set to HTTPS: Navigate to Admin > Product Settings > Connection > Connection Settings > Configure Access URL and set the Protocol option to HTTPS.
Set up multi-factor authentication for Linux logins

Step 1: Install the ADSelfService Plus macOS login agent through the admin console.  

  1. To install the login agent from the ADSelfService Plus admin console, go to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del).
Multi-factor authentication for macOS

  1. Click GINA/Mac/Linux Installation, and in the New Installation section, choose the required domain from the drop-down.

  1. You can also choose the specific organizational units for which the login agent has to be installed. To do this, click Add OUs and select the required OUs.

  2. Choose the computers for which the login agent needs to be pushed, and click Install.

Step 2: Enable authenticators  

  1. Go to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.

Multi-factor authentication for macOS

  1. Select the desired authenticator that you want to enable.

  2. Each authenticator comes with its own group of settings. Enter the appropriate information in each field.

  3. For authenticators like Google, Microsoft, push notification, fingerprint, QR-based and TOTP,  just click Enable.

Step 3: Enable MFA for macOS logins

  1. Go to Configuration > Self-Service > Multi-factor Authentication > MFA for Endpoints.

  1. Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users.

  2. In the MFA for Machine Login section, check the Enable __ authentication factor(s) for machine logins box, select the number of authentication methods, and specify which ones you would like to use from the drop-down.

  3. Click Save Settings.

Your users accounts will now have better security, thanks ADSelfService Plus' endpoint MFA.




      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products