Passport Deployment Considerations

By Nick Bickhart

Learn some important considerations when using Kandji Passport.

macOS Requirements

Passport requires Mac computers to run macOS 10.14 or newer. 

Password Changes

Users should always perform password changes with the identity provider.

Table of Contents

Provide a password reset URL

If a user enters their identity provider password incorrectly three times at the Passport login window, they will see the option to reset it with their identity provider. Be sure to include the password reset URL in your Passport configuration. Passport directs users to the same URL if they reset their passwords using the Kandji menu.

Password changes using the identity provider

Select Securely store password in the Passport library item to make the password change experience seamless for your users.

  • When Passport is set to securely store the user's password, it will create a keychain on the user's local Mac. Passport automatically uses the credentials stored in that keychain to update the password when users log in with their new credentials at the Passport login window. If the user is already logged in when they change their password with the identity provider, Passport will prompt them within 5 minutes to update their password; they will only have to enter the new one.



  • If the Store user password option is set to Do not store password, users will need to enter their old and new passwords to update their Mac credentials after changing them with their identity provider. When the user logs in to the Mac using their new identity provider password, Passport will prompt them to enter their old password. If the user is already logged in when they change their password with the identity provider, Passport will prompt them within 5 minutes to update their password; they will have to enter the old and new password.
If you are using Okta, disable the Refresh Token option in your Passport OIDC application. Otherwise, Passport will not prompt users to update their password while logged into their Mac.

Enable the Refresh Token in Okta only if you select Do not store password in your Passport library item, to prevent users from repeatedly being prompted to enter their credentials while logged in.

Password Changes using the Kandji menu

Users can change their identity provider password using the Reset Password option under the gear icon in the Kandji menu. They will be directed to the Passport reset URL specified in your Passport library item.


Password Changes in System Preferences

If users change their passwords on the Mac via the Users and Groups or Security panes in System Preferences, that password change does not sync back to the identity provider. However, Passport will detect that the passwords are out of sync and prompt the user to enter their identity provider credentials on the Mac, thus bringing the Mac back in sync. 




Alternatively, you can disallow any password changes on the Mac using a Restrictions library item and selecting Disallow passcode modification.



Any option in System Preferences for the users to change their passwords will then be inactive.

Password Check Frequency

Passport checks the user's password every 5 minutes and every online login from the login window. These checks ensure that the local account password and the user's identity provider password are the same. If they aren't, the user is prompted to provide their identity provider password. 

Login Experience

FileVault

Passport cannot be displayed at the FileVault login window when users turn on their Mac. For this reason, you should select Disallow automatic FileVault login in the Passport library item. The user will need to log in twice: once at the FileVault window and then again at the Passport login screen.



If Allow automatic FileVault login is selected, users will log in only at the FileVault login window, but they will not see the Passport login window unless they log out. The FileVault login window does not check credentials against an identity provider.

Network Connectivity

Passport requires network connectivity to check user credentials against the identity provider. When customizing the login window in Passport, show the network manager so users can join a Wi-Fi network as necessary. The network manager respects AirPort security settings in macOS. You can use the Secure Wi-Fi Settings parameter in Kandji to require local administrator credentials to change networks. If enabled, users will be prompted with a native authentication dialog at the Passport window when switching networks. 



To ensure that users can always log in to their Mac computers, Passport will allow them to log in using their identity provider credentials when there is no network connectivity.

Interaction with Other Library Items and Parameters

To provide the best user experience, you need to understand how Passport interacts with other library items. 

Automated Device Enrollment Library Item

When using Passport, select Skip primary account creation under Primary account type. That way, when users arrive at the Passport login screen and log in using their identity provider credentials, their Mac account will be provisioned. 


If you do not skip account creation, users will create an account and then be prompted to migrate that account upon login, resulting in unnecessary steps.




Passcode Library Item

When using Passport, remove the Passcode library item from the Blueprint containing Passport. Your identity provider should handle password requirements. If passcode requirements set by your identity provider are less restrictive than those set by the Passcode library item, it will result in the user being unable to change their password because it doesn't meet the password requirements of the local Mac.

Enforce a Custom Message for the Lock Screen Parameter

Configure a custom lock message and policy banner in the Kandji Passport library item. If you are using Enforce a custom policy banner or Enforce a custom message for the lock screen parameters, disable them for any Blueprints containing the Passport library item.

Troubleshooting

If a user can't log in at the Passport login window, you can bring up Kandji Passport Diagnostics by pressing Command-Shift-K-L on the keyboard. You will see helpful information, such as error messages from your identity provider.


Managed Apple ID alias

In some situations, a user may be logged in to an Apple ID with an account name that matches the IdP account name. Much like Passport, an alias is created in the local directory to match this Apple ID account name. When the Apple ID matches the IdP account name, a collision can occur that will prevent the user from signing in with the IdP account name.


This collision happens only when the user signs out of the Apple ID. The sign-out process removes the alias for the Apple ID. Since this alias matches the account name used by Passport, it removes the alias for Passport as well.

To resolve this, the alias must be restored. This can be done manually using the Users & Groups pane in System preferences, the Directory Utility application on the local computer, or by running a script via Kandji to update the account.


If you need assistance remediating this situation, please reach out to support.