Passport & Managing Passwords

By Trevor Gerzen

Learn important information about Passport and password management

For information about setting up Passport, read through our Configure the Passport Library Item article.

Password Changes and Resets

When logging in at the Passport Login Window, the full email address should always be used in the username field to ensure the authentication session is connected to the IdP and not local authentication. To avoid confusion with using email addresses at the FileVault Login Window, ensure that the Managed user visibility box is unchecked on the Login Window Library Item. You can read more about this in our Passport Compatibility article.

Users should initiate a password change in the following order:

  • Change their password with your organization's IdP.
  • If you have a Passport Reset URL defined, users can reset their IDP password from the Kandji menu app, or from the Passport Login Window. Click here to learn more.
  • Let Passport guide the user to also change their local Mac account password (also referred to as local password) to match their IdP password, or in some cases, automatically change their local password to match their IdP password.

Password Reset at the Passport Login Window

  • When a user enters their IdP password incorrectly three times at the Passport login window in the Local Login window, Passport displays a link for the password reset URL if it was configured in the Login Window settings for the Passport Library Item.

Password Reset at the Kandji Menu App

  • Users can change their IdP password using the Reset Password option under the gear icon in the Kandji Menu Bar. They will be directed to the Passport reset URL specified in your Passport library item.
  • Users must be logged in with their full email address for the Reset Password option to show in the Kandji Menu Bar.

    I6fpndwZWAu7RVuzqq1k9x3KSaP_ULpk0A

Password Syncing with the identity provider

If Store user password is set to Securely store password, Passport will automatically provide the user's local password to help the user sync their passwords. Click here to learn more.

  • If a user is logged out of their Mac, changes their password with the IdP, then provides the new IdP credentials at the Passport login window, Passport automatically updates the local password to match the IdP password.
  • If a user is already logged in and changes their password with the IdP, Passport will prompt them within 5 minutes to update their local password, and the user will not have to provide their local password; they will only have to enter their IdP password for Passport to change their local password to match their IdP password.
    rW6SZbnn1XNDJ6GjN9152IPRkY86uv8Njg
  • If Store user password is set to Do not store password, Passport will not automatically provide the user's local password to help the user sync their passwords. Click here to learn more.
    • If a user is logged out of their Mac, changes their password with the IdP, then provides the new IdP credentials at the Passport login window, Passport will ask the user for their local password for Passport to change their local password to match their IdP password.

  • If a user is already logged in and changes their password with the IdP, Passport will prompt them within 5 minutes to update their password. The user will need to enter both their local password and their IdP password for Passport to change their local password to match their IdP password.

    I6fpndwZWAu7RVuzqq1k9x3KSaP_ULpk0A
  • When the user logs in to the Mac using their new IdP password, and their local password does not match their IdP password, Passport will prompt the user to enter their old local password. If Store user password is set to Do not store password, the user must enter both passwords.

Password Syncing with Okta

If you are using Okta, disable the Refresh Token option in your Passport OIDC application. Otherwise, Passport will not prompt users to update their password while logged into their Mac. Enable the Refresh Token in Okta only if you select Do not store password in your Passport library item, to prevent users from repeatedly being prompted to enter their credentials while logged in.

Password Changes in System Settings or System Preferences

Alternatively, you can disallow any password changes on the Mac by using a Restrictions library item and selecting Disallow passcode modification. vbsGhQti-2Lm39DG-3e3kqHZintYP47dJQ

Any option in System Settings (or System Preferences) for users to change their passwords will then be inactive.

Password Check Frequency

Passport checks the user's password every 5 minutes and every online login from the login window. These checks ensure that the local account password and the user's IdP password are the same. If they aren't, the user is prompted to provide their IdP password.

Passport & Passcode Conflicts

When using Passport, you'll need to remove the Passcode Library Item from the Blueprint containing Passport to avoid configuration conflicts. Your IdP should handle password requirements. Click here to learn more.

When the Passcode Profile is applying a password requirement that is higher than the requirements defined by the IDP, the following message will be displayed to the user at the Passport Login Window. In order to resolve this issue, remove the Passcode Library Item from any Blueprints that also contain Passport. You can read more about this in our Passport Compatibility with macOS & Kandji Features article.