Require MFA for macOS endpoints

This topic describes how to enroll macOS machines with the Mac Cloud Agent to enforce adaptive MFA without depending on direct connectivity (LAN or VPN) to the directory source (for example, Active Directory).

Before you enroll any macOS endpoints, you should create a policy set to configure adaptive MFA for your macOS users. The Mac Cloud Agent supports the following authentication mechanisms:

• Mobile Authenticator

  The number matching feature of the Mobile Authenticator is not supported by the Mac Cloud Agent. Please disable Endpoint Policies > Common Settings > Mobile Settings > Security Settings > Require number matching for mobile authenticator to prevent accidental approvals within your Mac Cloud Agent policy set.

• email

• phone call

• SMS

• OATH OTP

• QR code

• security questions

1. Sign in to the Identity Administration portal.

2. Go to Core Services > Policies, and then select the policy that you want to edit or click Add Policy Set to create a new one.

   The Policy Settings page opens.

3. Select the Specified Roles or the Sets option in the Policy Assignment area.

   

4. Click Add, find and select the role or set that contains the relevant users or endpoints, then click Add.

5. Go to Authentication Policies > Endpoint Authentication.

6. Select Yes in the Enable authentication policy controls drop-down.

   If you want users to authenticate regardless of the log-in condition, skip the following step and use the Default Profile (used if no conditions matched) drop-down to define an authentication profile.

7. (Optional) Click Add Rule to specify conditional access.

   The Authentication Rule window appears.

   

8. Click Add Filter on the Authentication Rule window.

9. Define the filter and condition using the drop-down menus.

   Filter	Description	Conditions available
   IP Address	The computer’s IP address when the user logs in. You can create rules based on: Whether the IP address is inside or outside the corporate network. Use either the inside secure zone or outside secure zone condition. Secure zones are defined in Settings > Network > Secure Zones. Whether the IP address is inside a subset of your corporate network. Use the inside secure zone... condition. If you select this condition, you also need to indicate the specific secure zone (IP range configured in the IP table in Settings > Network > Secure Zones). To configure the IP address condition, you first need to configure the IP address range in Settings > Network > Secure Zones. See Define Secure Zones. The specified authentication profile is then applied to users whose IP address matches the specified IP address value, or falls within the specified IP address range. Also see Disable Secure Zones to exempt certain IP addresses or ranges from policy rules.	inside secure zones outside secure zones inside secure zone...
   Identity Cookie	The cookie that is embedded in the current browser by CyberArk Identity after the user has successfully logged in.	Is present Is not present
   Day of Week	Specific days of the week (Sunday through Saturday). You can select one or more, based on either User Local Time or UTC.	Checkboxes for each day of the week and radio buttons to select either User Local Time or UTC
   Date	A date before or after which the user logs in that triggers the specified authentication requirement, based on either User Local Time or UTC.	Less than <selected date> Greater than <selected date> User Local Time or UTC
   Date Range	A specific date range, based on either User Local Time or UTC.	Date pickers and radio buttons for User Local Time or UTC
   Time Range	A time range in hh:mm (24 hour clock), based on either User Local Time or UTC . Select an Authentication Profile for the time range defined; users who sign in during that time range are subject to the selected authentication profile. You can also choose to not allow sign in during a specified time range. Example If the Time Range in the Authentication Rule is from 18:00 to 09:00 and the Authentication Profile selected is Not Allowed, impacted users can't sign in during this time. A message displays saying the user does not have the required attributes to sign in. Authentication filters for RADIUS connections only use UTC.	Strings representing time ranges in the format hh:mm, with radio buttons for User Local Time or UTC
   Device OS	The operating system of the device a user is logging in from.	equal to not equal to
   Network Level Authentication	This filter is used to apply authentication profiles based on whether an RDP client has completed Network Level Authenticaton ("NLA").	is done is not done
   Browser	The browser used for opening the CyberArk Identity portal.	equal to not equal to
   Role	CyberArk Identity roles that a user belongs to. If a user belongs to multiple roles, the authentication rule that comes first (highest priority on top) is honored. If a role is renamed following the creation of an authentication rule using Role as a filter, the authentication rule will automatically update with the new role name. If a role is deleted, the portion of the any authentication rule using that role as a filter will also be deleted. This filter is only applicable to managing web application access. Contact support if Role does not display in your menu. This filter requires tenant configuration.	equal to not equal to
   Country	The country based on the IP address of the user computer.	equal to not equal to
   Risk Level	Risk Level: The authentication factor is the risk level of the user logging on to the User Portal. For example, a user attempting to log in to CyberArk Identity from an unfamiliar location can be prompted to enter a password and text message (SMS) confirmation code because the external firewall condition correlates with a medium risk level. This Risk Level filter requires additional licenses. If you do not see this filter, contact CyberArk support. The supported risk levels are: Non Detected -- No unexpected activities are detected. Low -- Some aspects of the requested identity activity are unexpected. Remediation action or simple warning notification can be raised depending on the policy setup. Medium -- Many aspects of the requested identity activity are unexpected. Remediation action or simple warning notification can be raised depending on the policy setup. High -- Strong indicators that the requested identity activity is an anomaly and the user's identity has been compromised. Immediate remediation action, such as MFA, should be enforced. Undetermined -- Not enough user behavior activities (frequency of system use by the user and length of time user has been in the system) have been collected. Additional licenses might be required to enable this feature. Contact your CyberArk account representative for more information. The following video illustrates how to create an authentication rule based on risk level. nnoz0oewz6	equal to not equal to
   Managed Devices	Your device is considered managed under the following circumstances: It is enrolled to CyberArk Identity for device management. A device that is enrolled for only single sign-on or endpoint authentication is not considered a managed device. For more information about the difference, see Mobile Device Management or single sign-on only. It is enrolled to a supported Unified Endpoint Manager (UEM). It is compliant with policies defined by a UEM. Compliance means that a UEM is enrolled and conforms to compliance rules defined by a third-party. For more information, see Configure access based on a third-party UEM trust.	enrolled to not enrolled to compliant with not compliant with
   Certificate Authentication	Whether you use a digital certificate issued by your organization’s trusted certificate authority. You can upload a certificate using the Identity Administration portal > Settings > Authentication > Certificate Authorities. Users can also individually use CyberArk as their trusted certificate authority and automatically install the digital certificate by enrolling their devices. For example, if you configure an authentication rule to use the Certificate Authentication condition, then CyberArk Identity checks for a digital certificate issued by a trusted certificate authority and enforces the specified authentication profile before allowing access to this application. CyberArk support must enable the Certificate Authentication filter for your company.	is used is not used

10. Click the Add button associated with the filter and condition.

    

11. Select the profile that you want applied if all filters/conditions are met in the Authentication Profile drop-down, then click OK.

    The authentication profile is where you define the authentication mechanisms. If you have not created the necessary authentication profile, select the Add New Profile option. See Create authentication profiles.

12. (Optional) In the Default Profile (used if no conditions matched) drop-down, you can select a default profile to be applied if a user does not match any of the configured conditions.

If you have no authentication rules configured and you select Not Allowed in the Default Profile drop-down, users will not be able to log in to the service.

13. (Optional) If you have more than one authentication rule, you can drag and drop the rules to a new position in the list to control the order they are applied.

If you configure one-time-passcode (OTP) as an authentication method for your users, as long as endpoint authentication is enabled in your policy setting your users can authenticate using the passcode when their machines are offline. Offline OTP requires that users first log in to User Portal with an internet connection to get the offline code. Direct users to Set up OTPs to authenticate for information on setting up offline OTP.

If your users also have an enrolled Android or iOS device, after they successfully authenticate to their cloud agent--enrolled machine, they can refresh the Passcodes section of the Idaptive Mobile application to automatically create an offline OTP code.

7. From the policy, select Endpoint Policies > Common Settings > Agent Settings > Lock Screen, then make selections for the following grace period settings.

   The grace period is the amount of time that an active user session can be accessed without MFA challenges. Examples of accessing an active user session include unlocking the screen or switching between logged on users. If the user session is terminated, the grace period timer restarts.

   Setting	Description
   MFA grace period for OS X and Windows screen unlock	To specify a grace period, select one of the minute or hour values from the drop-down menu. To specify no grace period, select Immediately. In this case, a locked device immediately requires MFA challenges for unlocking. The default value is Immediately. Any change in the grace period setting takes effect only after the period defined in the Update device information frequency (default 12 hours) setting in Endpoint Policies > Device Management Settings, or if policies are manually pushed, or on device restart.
   Enable MFA grace period when device is offline	Use this setting to control whether the MFA grace period is applied for offline devices. This allows you to choose between user convenience or a strict security posture. There is no limit to authentication attempts or lockout with offline authentication. If MFA is not applied, then an attacker has unlimited password attempts within the grace period to sign in. The default is equivalent to No, where MFA is always enforced on offline devices.

   If Disable MFA for OS X lock screen is set to Yes, this setting will be ignored.

   Self-service password reset is unavailable inside the MFA grace period.

8. (Optional) Configure settings for self-service password reset and self-service account unlock.

9. Click Save.