Require MFA for Mac endpoints

This topic describes how to implement a multi-factor authentication policy ("MFA") for enrolled Mac endpoints, challenging users of enrolled Mac endpoints with additional authentication factors (for example, a one-time passcode ("OTP"), SMS, or security question).

CyberArk MFA for Mac is not compatible with using FIPS 140-2-compliant cryptographic algorithms for authentication protocols.

To configure MFA for Mac endpoints

Step 1: Create a role.

  1. In the Admin Portal, click Core Services > Roles.
  2. Click Add Role.
  3. Type the Role name and an optional description, then click Save.

  4. Click Members > Add to add users to the Role.

    You can add directory service users and external identity store users. If you are preparing a Role with administrative rights before adding or inviting users, you can add the appropriate members later.

  5. Click Administrative Rights > Add.
  6. Select the check box associated with each right you want to assign to the Role, then click Add.

    For a description of the administrative rights, see Admin Portal administrative rights.

  7. Click Assigned Applications, then click Add.
  8. Select the check box associated with each application you want to assign, then click Add.

    Assigning applications to a Role enables you to automatically deploy a default set of applications to the members of the Role efficiently.

  9. Click Save.

Step 2: Create a new user.

This is a Mac user that you are configuring MFA for. Skip this step if the user account already exists, either in the CyberArk Cloud Directoryor a connected AD domain.

  1. Log in to the CyberArk Identity Admin Portal using your administrator account.

  2. Go to Core Services > Users > Add User.

  3. Enter a login name and select a suffix.

    A user name can be composed of any of the UTF8 alphanumeric characters plus the symbols + (plus), - (dash), _ (underscore), and . (period).

    The suffix is the part of your account name that follows “@”. For example, if your account name is bob.smith@acme.com, then the suffix is acme.com. By default, the suffix associated with your default account is populated. See Manage login suffixes for more information on suffixes and for information on creating a default login suffix for CyberArk Cloud Directory users.

    All login suffixes are displayed in the list, including the login suffix for any Active Directory/LDAP domains you are using.

    Important: If you select the login suffix for an Active Directory/LDAP domain, the account is not added to Active Directory/LDAP. The account’s Source column will indicate CyberArk Identity as the source, rather than Active Directory/LDAP.

  4. Enter the email address and display name for the user.

  5. Enter a password.

    This is a one-time password for the user to log in to CyberArk Identity User Portal when you select “Require password change at next login (recommended)” in the Status settings. This password is replaced with the password created by the user.

    The default minimum password requirements are:

    • 8 characters

    • 1 numeric character

    • 1 upper case letter

    • 1 lower case letter

    See Set password complexity requirements to change the default requirements.

  6. Select the appropriate Status settings.

    You can customize the email message sent when you invite users—see Customize email message contents.

    A CyberArk Identity service user acts as a client in the Client Credentials Flow within the OAuth 2.0 authorization framework (https://datatracker.ietf.org/doc/html/rfc6749). The service user's credentials (client credentials) are used to obtain an access token from CyberArk Identity. The access token is used to gain access to CyberArk Identity-protected APIs for tasks such as:

    • enrolling or unenrolling a device

    • uninstalling an agent

    • sending requests to scim server APIs

      CyberArk Identity automatically creates service users during device enrollment using the format Machine_Id@TenantAlias. You can also create service users manually to provide client credentials for an OAuth 2.0 client application to access CyberArk Identity resources. Service users are not users who sign in to CyberArk Identity User, Admin, or User Behavior Analytics portals

  7. (Optional) Enter the appropriate information for the Profile fields.

  8. (Optional) Enter a date and time in the Start and End date fields to allow CyberArk Identity Directory users access to the CyberArk Identity resources during a specified time period.

    If Send email invite for user portal setup or Send SMS invite for device enrollment is selected, an invitation email or text message is automatically sent to the user on the start date. Users configured to have a start and end date are automatically suspended in the directory service and deprovisioned from applications once the specified end date is reached. You can not modify the Start date field once the user is active; you can modify the End date field at any time.

    When configuring the Start and End date fields, keep in mind that the dates and times are based on your local time zone. If you are creating users in a different time zone, be sure to calculate the proper start and end dates for the users time zone.

    Users with the System Administrator role or users that are in a role with User Management administrative rights can modify these settings.

  9. (Optional) Enter the appropriate information for the Organization field. For information on adding users to Organizations, see Create Organizations with Delegated Administrators.

  10. Click Create User.

    A notification will be sent to the newly created user using your selected method.

  1. Add the user to the role created in Create a role.

    If you want to enforce MFA for additional users on the Mac at a later time, add them to the role as well.

Step 3: Create an authentication profile, selecting password as the first factor and at least two additional factors from the Challenge 2 column.

  1. Click Settings > Authentication.
  2. Click Add Profile on the Authentication Profiles page.
  3. Enter a unique name for each profile.
  4. Select the authentication mechanism(s) from either Multiple Authentication Mechanisms or Single Authentication Mechanism.

    You can't select the same mechanism in both challenge menus. For example, if you select QR Code in either of the challenge columns under Multiple Authentication Mechanisms, you can't select it under Single Authentication Mechanism.

    RADIUS does not support FIDO2 authentication mechanisms.

    Some authentication mechanisms require additional configurations before users can authenticate using those mechanisms. Make sure your users complete the configuration requirements for any mechanism you plan to use. Refer to Secure access with adaptive MFA for more detail.

    Authentication set Description
    Multiple Authentication Mechanisms

    You can require that the first challenge be the user’s account password, then for the second challenge users can choose between an email confirmation code, security question, or text message confirmation code. See Authentication mechanisms for information about each authentication mechanism.

    If you have multiple challenges, the CyberArk Identity waits until users enter all challenges before giving the authentication response (pass or fail). For example, if users enter the wrong password for the first challenge, the CyberArk Identity will not send the authentication failure message until after users respond to the second challenge.

    If users fail their first challenge and the second challenge is SMS, email, or phone call, the default configuration is that the CyberArk Identity will not send the SMS/email or trigger the phone call. Contact support to change this configuration.
    Single Authentication Mechanism

    Single authentication challenges are sufficient for users to log in without any additional challenges, even if you selected challenges from Multiple Authentication Mechanisms.

    For example: if you select Password for Challenge 1, Security Question(s) for Challenge 2, and QR Code from Single Authentication Mechanism, a user with an enrolled device can scan the QR Code with the CyberArk Identity mobile app to log in, bypassing the mechanisms selected from Multiple Authentication Mechanisms. If a user does not have an enrolled device, the user can log in by responding to the challenges selected from Multiple Authentication Mechanisms (Password and Security Question(s) in this example).

    Authentication mechanism

    Description

    Something you have

    Mobile Authenticator

    When you select this option, users authenticate using a one-time passcode displayed by the CyberArk Identity mobile app installed on their mobile devices.

    If devices are connected via the cell network or a wi-fi connection, users can send the passcodes from the devices. If the devices are not connected, users must manually enter the passcodes into the CyberArk Identity mobile app login prompt.

    If devices are connected via the cell network or a wi-fi connection, users can send the passcodes from the devices. If the devices are not connected, users must manually enter the passcodes into the Admin Portal or CyberArk Identity user portal login prompt.

    The availability of this mechanism to users can be controlled using the Show Mobile Authenticator by default policy. This policy is in Core Services > Policies > select existing policy or create a new one > Endpoint Policies > Common Mobile Settings > Security Settings. Mobile device configuration policies overview for more information on the policy.

    This option requires users to have CyberArk Identity mobile app installed on their devices and those devices must be enrolled in CyberArk Identity.

    Phone call

    When you select this option, CyberArk Identity calls the user using the stored phone number (mobile or land line) and describes an action the user must perform to complete the authentication. The user completes the action from the device to log in. If your tenant is configured on CyberArk Identity 17.10 or newer, see Enable phone PIN because additional configuration is required.

    This option is disabled for new tenants by default. Contact your account representative to enable this authentication mechanism.

    OATH OTP Client

    This text string is configurable and reflects what you entered during the OATH OTP configuration. When you select this option, users can use a third party authenticator (like Google Authenticator) to scan a CyberArk Identity generated QR code and get a one-time-passcode (OTP). This authentication mechanism requires additional configurations. See Enable OATH OTP.

    Text message (SMS) confirmation code

    When you select this option, CyberArk Identity sends a text message to the user’s mobile phone with a one-time confirmation code and/or an authentication link. Depending on the language setting, some languages display only the confirmation code while others display the confirmation code and link. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt.

    This option is disabled for new tenants by default. Contact your account representative to enable this authentication mechanism.

    You can configure the confirmation code length (6 or 8 digits) in Admin PortalSettings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits.

    The link and confirmation code are valid for 20 minutes. If a user does not respond within this time period, the CyberArk Identity cancels the login attempt.

    Additionally, you can configure CyberArk Identity to allow users to click a Send SMS again link to request a new SMS text message if the user doesn't receive the initial message in a specified period of time. You can configure this in Admin Portal > Core Services > Policies > Authentication Policies > CyberArk Identity > Other Settings.

    To ensure delivery of SMS messages, CyberArk Identity uses a backup SMS provider and cycles through the providers on SMS retry attempts.

    Duo

    Select this option to use Duo as an authentication factor. For example, if you already use Duo for authentication to other applications, you can continue to use it with CyberArk Identity as well. If you select Duo, the authentication process provides an opportunity for users to configure their devices to use Duo, if they haven't already done so.

    You have to configure Duo in your CyberArk Identity tenant before you can select it as a authentication mechanism. Refer to Duo authentication for more information.

    Email confirmation code

    When you select this option, CyberArk Identity sends a confirmation code and a link to the user’s email address. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt.

    You can configure the confirmation code length (6 or 8 digits) in Admin PortalSettings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits.

    The link and confirmation code are valid for 20 minutes. If a user does not respond within this time period, the CyberArk Identity cancels the login attempt.

    QR Code

    Select this option to present users with a Quick Response (QR) Code that they can scan with the CyberArk Identity mobile app on an enrolled mobile device.

    Successfully scanning a QR Code bypasses other authentication mechanisms when it's selected under Single Authentication Mechanism.

    FIDO2 Authenticator(s) (single factor)

    FIDO2 is an authentication standard hosted by FIDO Alliance. This standard includes the Web Authentication ("WebAuthn") API, which is a specification written by the World Wide Web Consortium (W3C) and FIDO, with participation from additional third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys.

    CyberArk leverages the WebAuthn API to enable passwordless authentication to the CyberArk Identity using either external or on-device authenticators.

    Single-factor FIDO2 authenticators are something you have. Examples are external authenticators like security keys that you plug into the device's USB port; for example, a YubiKey.

    Refer to NIST 800-63b for more information about single-factor cryptographic devices.

    FIDO2 authenticator(s) are either on-device or external security keys that provide passwordless authentication.

    Something you are

    FIDO2 Authenticator(s) (multi-factor)

    FIDO2 is an authentication standard hosted by FIDO Alliance. This standard includes the Web Authentication ("WebAuthn") API, which is a specification written by the World Wide Web Consortium (W3C) and FIDO, with participation from additional third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys.

    CyberArk leverages the WebAuthn API to enable passwordless authentication to the CyberArk Identity using either external or on-device authenticators.

    Supported multi-factor FIDO2 authenticators are something you are. Popular examples are biometric authenticators integrated into device hardware, such as Mac Touch ID, Windows Hello, and fingerprint scanners.

    Refer to NIST 800-63b for more information about multi-factor cryptographic devices.

    FIDO2 authenticator(s) are either on-device or external security keys that provide passwordless authentication.

    Something you know

     

    Password

    When you select this option, users are prompted for either their Active Directory or CyberArk Identity user password when logging in to the Admin portal.

    Security Question(s)

    When you select this option, users are prompted to answer user-defined and/or admin-defined security questions. When creating the authentication profile, you can specify the number of questions users must answer. You can also specify the number of user-defined and admin-defined questions available to users. See Enable multiple security questions. Users create, select, or change the question and answer from their Account page in the user portal.

    Other

    3rd Party RADIUS Authentication

    When you select this option, we communicate with your RADIUS server to allow for user authentication into CyberArk Identity or an enrolled endpoint. See Configure CyberArk Identity for RADIUS.

     

  5. (Optional) Select the pass-through duration.

    If users have already authenticated using one of the specified mechanism within this duration, then they will not be authenticated again. The default is 30 minutes.

    This pass-through option does not apply to Windows or Mac MFA logins, or RADIUS VPN connections; only the User Portal and the Admin Portal.
  6. Click OK.

Step 4: Enable the authentication factors that you plan to use.

Phone call and SMS authentication factors must be enabled by support.

ClosedSMS, Phone

  1. Verify that your users have a mobile phone number associated with their account.

    1. Log in to the Admin Portal.
    2. Click Core Services > Users.
    3. If you have installed the CyberArk Identity Connector to integrate Active Directory with CyberArk Identity, then you will see your Active Directory user accounts in this list.

    4. Click the relevant user name.
    5. The Account page shows the email address and mobile number associated with this account.

  2. Enable users to create a phone PIN.

    1. Log in to the Admin Portal.
    2. Click Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.
    3. Click User Security Policies > User Account Settings.
    4. Select Yes in the “Enable users to configure a Phone PIN for MFA” drop-down list.

    5. (Optional) Specify the minimum PIN length users must create.
    6. (Optional) Specify the authentication profile users must use to configure and edit their PINs.

    7. Click Save.

ClosedOAUTH OTP

  1. Log in to the Admin Portal

  2. Go to Core Services > Policies.

  3. Select a policy set or create a new one.

  4. Go to User Security Policies > OATH OTP.

  5. Select Yes in the Allow OATH OTP Integration drop down.

  6. Select Yes in the Enable auto-setup of OATH OTP in Identity app to allow users to automatically configure OATH OTP during device enrollment with the CyberArk Identity mobile app.

    This provides a more convenient enrollment experience for users who use the CyberArk Identity mobile app. If you expect users to use a third-party authenticator such as Google Authenticator, select the default value (--) or No.
  7. Click Save.

  8. Enable users to configure an OATH OTP client.
    1. Click User Account Settings.

      The User Account Setting window opens.

    2. Select Yes in the Enable user to configure an OATH OTP client.

    3. Enter a user-friendly name (for example the name of the OTP client used by your organization) in the OATH OTP Display Name text field. This name is what users will see.

    4. Select an authentication profile to require users to provide additional authentication before they can access the QR code.

    For desktop-based CyberArk Authenticator, do not configure any additional Authentication profiles. This field should be set to --.
  9. Click Save.

Step 5: Update policy settings for Mac MFA and apply the policy set to the role created in Create a role.

  1. Click Core Services > Policies, then select an existing policy or click Add Policy Set.

  2. In the Policy Settings tab, change the Policy Assignment to Specified Roles and then add the role created in Create a role.

  3. From the policy, select Authentication Policies > Endpoint Authentication, then set Enable authentication policy controls to Yes.

  4. On the Endpoint Authentication tab, change Default profile (used if no conditions matched) to the authentication profile created in Create an authentication profile, selecting password as the first factor and at least two additional factors from the Challenge 2 column.

  5. From the policy, select Endpoint Policies > Common Settings > Agent Settings > Lock Screen, then make a selection for Disable MFA for OS X lock screen.

    By default, MFA is enabled on the Mac lock screen when the policy is applied. Touch ID is disabled when MFA is enabled on the lock screen. You can select Yes to disable MFA on the lock screen and allow users to unlock the screen using Touch ID.

    You can create a separate role for users that have a Touch ID-equipped device and apply this setting through a separate policy set. That way you can enforce MFA on the lock screen for Mac users without Touch ID while allowing users with newer devices to take advantage of Touch ID.
  6. From the policy, select Endpoint Policies > Common Settings > Agent Settings > Lock Screen, then make a selection for MFA grace period for OS X and Windows screen unlock.

    The grace period is the amount of time that an active user session can be accessed without MFA challenges. Examples of accessing an active user session include unlocking the screen or switching between logged on users. If the user session is terminated, the grace period timer restarts.

    To specify a grace period, select one of the minute or hour values from the drop-down menu. To specify no grace period, select Immediately. In this case, a locked device immediately requires MFA challenges for unlocking. The default value is Immediately.

    Any change in the grace period setting takes effect only after the period defined in the "Update device information frequency (default 12 hours)" setting in Endpoint Policies > Device Management Settings, or if policies are manually pushed, or on device restart.

  7. Click Save.

Step 6: Create a local user on the Mac with the same name as the user created in Create a new user.

If the user that you want to enroll already has a local account on the Mac, you should rename the local account to match the username of the account you plan to enroll the device on behalf of. For example, if a user logs in to a local account FirstName and you want to enroll the device on behalf of an AD user FirstName.LastName@mydomain.com, you should rename the local account FirstName to FirstName.LastName so the user can continue using the same desktop after enrollment. Refer to https://support.apple.com/en-us/HT201548 for more information about renaming a user's home directory.

If no matching local account is found, the enrollment process creates a new local account with the same username as the directory source. For example, if the user logs in as FirstName and you enroll the device for an AD user FirstName.LastName@mydomain.com, the enrollment process creates a new local user FirstName.LastName; this new local account does not keep the same desktop and browser settings.

You can skip this step if a matching local user already exists on the Mac. For example, a mobile user that was converted to a local user when the device left an AD domain.

  1. Log in to the Mac with an administrator's account.
  2. Open System Preferences, then select Users and Groups.
  3. Click the lock to make changes and enter your admin password.
  4. Click the + icon and complete the required fields, then click Create User.

Step 7: Enroll the Mac endpoint on behalf of the user who you want to require to authenticate with MFA.

In this example, we'll use the user created in Create a new user.

  1. From the downloads page in the Admin Portal, select Agents from the drop-down menu and download the Mac Cloud Agent.

    The Mac Cloud Agent download begins (CyberArk-Mac-Agent.dmg).

  2. Open the (CyberArk-Mac-Agent.dmg) file, then double-click the (CyberArk-Mac-Agent.pkg) file.

    The installer for Mac Cloud Agent opens.

  3. Click through the on-screen instructions, agreeing to the software license agreement and entering administrator credentials when necessary.

  4. Select Launch CyberArk Agent, then click Continue.

    The Sign In window appears.

  5. Enter the user credentials for an admin user in a role with the Device Enroll On Behalf Of administrative right assigned.

    Refer toAdmin Portal administrative rights for more information.

  6. Click Enroll this mac for a different user.

    The Enroll this mac for a different user window appears.

  7. Complete the User to Enroll and Account Name fields, then click Enroll.

    Enter the admin credentials of the local admin user on the Mac when prompted.

    Field Description

    User to Enroll

    Enter the username and domain suffix that the user will use to log in to the User Portal.

    For example, myuser@mydomain.com.

    Account Name

    Select the username for the account associated with the user.

    For example, myuser.

    You can click the arrows in the menu to see a list of all users (either local users or users in the domain that the device is joined to) or start typing the username to filter the list. If you don’t see the account associated with the user, make sure the user exists or your device is joined to the AD domain

  8. Click Done when you see the Enrollment Complete message.

  1. From the downloads page in the Admin Portal, select Agents from the drop-down menu and download the Mac Cloud Agent.

    The Mac Cloud Agent download begins (CyberArk-Mac-Agent.dmg).

  2. Open the (CyberArk-Mac-Agent.dmg) file, then double-click the (CyberArk-Mac-Agent.pkg) file.

    The installer for Mac Cloud Agent opens.

  3. Click through the on-screen instructions, agreeing to the software license agreement and entering administrator credentials when necessary.

  4. Select Launch CyberArk Agent, then click Continue.

    The Sign In window appears.

  5. Enter the user credentials for an admin user in a role with the Device Enroll On Behalf Of administrative right assigned.

    Refer toAdmin Portal administrative rights for more information.

  6. Click Enroll this mac for a different user.

    The Enroll this mac for a different user window appears.

  7. Complete the User to Enroll and Account Name fields, then click Enroll.

    Enter the admin credentials of the local admin user on the Mac when prompted.

    Field Description

    User to Enroll

    Enter the username and domain suffix that the user will use to log in to the User Portal.

    For example, myuser@mydomain.com.

    Account Name

    Select the username for the account associated with the user.

    For example, myuser.

    You can click the arrows in the menu to see a list of all users (either local users or users in the domain that the device is joined to) or start typing the username to filter the list. If you don’t see the account associated with the user, make sure the user exists or your device is joined to the AD domain

  8. Click Download to download the MDM profile, then close the Mac Cloud Agent.

  9. Open System Preferences, then click Profiles.

  10. Select the CyberArk Identity profile from the list of downloaded profiles, then click Install... and confirm the installation, entering your admin credentials as needed.

Your user can now login to the Mac endpoint with their CyberArk Cloud Directory account using MFA. Once users have logged in to the CyberArk Identity User Portal, they can configure additional authentication factors such as security questions, OATH OTP, Offline OTP, and Phone PIN.

Mobile Users Apple AD) are converted to a Standard user upon the first successful MFA login. This removes the user from the FileVault screen and requires you to re-add users to FileVault.

If your organization uses an EAP-based WiFi network, users need a wired connection or a non-EAP WiFi network to log in to a Mac. This is because EAP WiFi requires access to the Keychain, so without another connection option (like a wired connection) the Mac is effectively offline when users are at the login screen. CyberArk recommends requiring users to configure an offline OTP after their initial login, so that users can use the offline OTP for future logins from the login window (after a reboot or logout), and not have to rely on a wired connection or less secure WiFi network. Direct your users to Sign in with multi-factor authentication for more information about configuring an offline OTP, as well as using other authentication factors.