Require MFA for macOS endpoints

This topic describes how to enroll macOS machines with the Mac Cloud Agent to enforce adaptive MFA without depending on direct connectivity (LAN or VPN) to the directory source (for example, Active Directory).

Before you enroll any macOS endpoints, you should create a policy set to configure adaptive MFA for your macOS users. The Mac Cloud Agent supports the following authentication mechanisms:

  • Mobile Authenticator

    The number matching feature of the Mobile Authenticator is not supported by the Mac Cloud Agent. Please disable Endpoint Policies > Common Settings > Mobile Settings > Security Settings > Require number matching for mobile authenticator to prevent accidental approvals within your Mac Cloud Agent policy set.
  • email

  • phone call

  • SMS

  • OATH OTP

  • QR code

    The Mac Cloud Agent does not support QR code identification on the log in screen.
  • security questions

CyberArk MFA for Mac is not compatible with using FIPS 140-2-compliant cryptographic algorithms for authentication protocols.

Configure adaptive MFA for macOS users

Configure an authentication policy to enforce adaptive MFA when users log in to their enrolled macOS machines. For example, you could use additional authentication mechanisms if a user tries to log in from outside of your corporate IP range.

To configure adaptive MFA for macOS users
  1. In the Identity Administration portal, go to Core Services > Policies, and then select the policy that you want to edit or click Add Policy Set to create a new one.

    The Policy Settings page opens.

  2. Select the Specified Roles or the Sets option in the Policy Assignment area.

  3. Click Add, find and select the role or set that contains the relevant users or endpoints, then click Add.

  4. Go to Authentication Policies > Endpoint Authentication.

  5. Select Yes in the Enable authentication policy controls drop-down.

    If you want users to authenticate regardless of the login condition, skip the following step and use the Default Profile (used if no conditions matched) drop-down to define an authentication profile.

    If you configure one-time-passcode (OTP) as an authentication method for your users, as long as endpoint authentication is enabled in your policy setting your users can authenticate using the passcode when their machines are offline. Offline OTP requires that users first log in to User Portal with an internet connection to get the offline code. Direct users to Set up OTPs to authenticate to the User Portal for information on setting up offline OTP.

    If your users also have an enrolled Android or iOS device, after they successfully authenticate to their cloud agent--enrolled machine, they can refresh the Passcodes section of the Idaptive Mobile application to automatically create an offline OTP code.
  6. Create an authentication rule.

    For more information on adding authentication rules, see Create authentication rules.

    When you create an authentication profile for Mac MFA, password must be the first mechanism (Challenge 1 column).

    See Create authentication profiles for more information.

  7. The grace period is the amount of time that an active user session can be accessed without MFA challenges. Examples of accessing an active user session include unlocking the screen or switching between logged on users. If the user session is terminated, the grace period timer restarts.

    From the policy, select Endpoint Policies > Common Settings > Agent Settings > Lock Screen, then make selections for the grace period settings described in the table below.

    MFA grace period is unavailable with the WebView experience.

    Grace period settings descriptions

    Setting

    Description

    MFA grace period for OS X and Windows screen unlock

    To specify a grace period, select one of the minute or hour values from the drop-down menu. To specify no grace period, select Immediately. In this case, a locked device immediately requires MFA challenges for unlocking. The default value is Immediately.

    Any change in the grace period setting takes effect only after the period defined in the Update device information frequency (default 12 hours) setting in Endpoint Policies > Device Management Settings, or if policies are manually pushed, or on device restart.

    Enable MFA grace period when device is offline

    Use this setting to control whether the MFA grace period is applied for offline devices. This allows you to choose between user convenience or a strict security posture.

    There is no limit to authentication attempts or lockout with offline authentication. If MFA is not applied, then an attacker has unlimited password attempts within the grace period to sign in.

    The default is equivalent to No, where MFA is always enforced on offline devices.

    If Disable MFA for OS X lock screen is set to Yes, this setting will be ignored.

    Self-service password reset is unavailable inside the MFA grace period.

  8. (Optional) Configure settings for self-service password reset and self-service account unlock.

  9. Click Save.

Enroll macOS machines with the Mac Cloud Agent

Enroll Macs on behalf of individual users to enforce adaptive MFA.

Step 1: Create a local user on the Mac with the same name as the user created in Require MFA for macOS endpoints

If the user that you want to enroll already has a local account on the Mac, you should rename the local account to match the username of the account you plan to enroll the device on behalf of. For example, if a user logs in to a local account FirstName and you want to enroll the device on behalf of an AD user FirstName.LastName@mydomain.com, you should rename the local account FirstName to FirstName.LastName so the user can continue using the same desktop after enrollment. Refer to https://support.apple.com/en-us/HT201548 for more information about renaming a user's home directory.

If no matching local account is found, the enrollment process creates a new local account with the same username as the directory source. For example, if the user logs in as FirstName and you enroll the device for an AD user FirstName.LastName@mydomain.com, the enrollment process creates a new local user FirstName.LastName; this new local account does not keep the same desktop and browser settings.

You can skip this step if a matching local user already exists on the Mac. For example, a mobile user that was converted to a local user when the device left an AD domain.

  1. Log in to the Mac with an administrator's account.
  2. Open System Preferences, then select Users and Groups.
  3. Click the lock to make changes and enter your admin password.
  4. Click the + icon and complete the required fields, then click Create User.

Step 2: Enroll the Mac endpoint on behalf of the user who you want to require to authenticate with MFA.

In this example, we'll use the user created in Require MFA for macOS endpoints

  1. From the downloads page in the Identity Administration portal, select Agents from the drop-down menu and download the Mac Cloud Agent.

    The Mac Cloud Agent download begins (CyberArk-Mac-Agent.dmg).

  2. Open the (CyberArk-Mac-Agent.dmg) file, then double-click the (CyberArk-Mac-Agent.pkg) file.

    The installer for Mac Cloud Agent opens.

  3. Click through the on-screen instructions, agreeing to the software license agreement and entering administrator credentials when necessary.

  4. Select Launch CyberArk Agent, then click Continue.

    The Sign In window appears.

  5. Enter the user credentials for an admin user in a role with the Device Enroll On Behalf Of administrative right assigned.

    Refer toIdentity Administration portal administrative rights for more information.

  6. Click Enroll this mac for a different user.

    The Enroll this mac for a different user window appears.

  7. Complete the User to Enroll and Account Name fields, then click Enroll.

    Enter the admin credentials of the local admin user on the Mac when prompted.

    Field Description

    User to Enroll

    Enter the username and domain suffix that the user will use to log in to the User Portal.

    For example, myuser@mydomain.com.

    Account Name

    Select the username for the account associated with the user.

    For example, myuser.

    You can click the arrows in the menu to see a list of all users (either local users or users in the domain that the device is joined to) or start typing the username to filter the list. If you don’t see the account associated with the user, make sure the user exists or your device is joined to the AD domain

  8. Click Done when you see the Enrollment Complete message.

  1. From the downloads page in the Identity Administration portal, select Agents from the drop-down menu and download the Mac Cloud Agent.

    The Mac Cloud Agent download begins (CyberArk-Mac-Agent.dmg).

  2. Open the (CyberArk-Mac-Agent.dmg) file, then double-click the (CyberArk-Mac-Agent.pkg) file.

    The installer for Mac Cloud Agent opens.

  3. Click through the on-screen instructions, agreeing to the software license agreement and entering administrator credentials when necessary.

  4. Select Launch CyberArk Agent, then click Continue.

    The Sign In window appears.

  5. Enter the user credentials for an admin user in a role with the Device Enroll On Behalf Of administrative right assigned.

    Refer toIdentity Administration portal administrative rights for more information.

  6. Click Enroll this mac for a different user.

    The Enroll this mac for a different user window appears.

  7. Complete the User to Enroll and Account Name fields, then click Enroll.

    Enter the admin credentials of the local admin user on the Mac when prompted.

    Field Description

    User to Enroll

    Enter the username and domain suffix that the user will use to log in to the User Portal.

    For example, myuser@mydomain.com.

    Account Name

    Select the username for the account associated with the user.

    For example, myuser.

    You can click the arrows in the menu to see a list of all users (either local users or users in the domain that the device is joined to) or start typing the username to filter the list. If you don’t see the account associated with the user, make sure the user exists or your device is joined to the AD domain

  8. Click Download to download the MDM profile, then close the Mac Cloud Agent.

  9. Open System Preferences, then click Profiles.

  10. Select CyberArk Identity profile from the list of downloaded profiles, then click Install... and confirm the installation, entering your admin credentials as needed.

Your user can now login to the Mac endpoint with their CyberArk Cloud Directory account using MFA. Once users have logged in to the Identity User Portal, they can configure additional authentication factors such as security questions, OATH OTP, Offline OTP, and Phone PIN.

Mobile Users Apple AD) are converted to a Standard user upon the first successful MFA login. This removes the user from the FileVault screen and requires you to re-add users to FileVault.

If your organization uses an EAP-based WiFi network, users need a wired connection or a non-EAP WiFi network to log in to a Mac. This is because EAP WiFi requires access to the Keychain, so without another connection option (like a wired connection) the Mac is effectively offline when users are at the login screen. CyberArk recommends requiring users to configure an offline OTP after their initial login, so that users can use the offline OTP for future logins from the login window (after a reboot or logout), and not have to rely on a wired connection or less secure WiFi network. Direct your users to Sign in with multi-factor authentication for more information about configuring an offline OTP, as well as using other authentication factors.