Deploying Okta Desktop Password Sync and Platform Single Sign-On

By Chad Satterfield

Learn how to set up and configure Okta Desktop Password Sync and Platform SSO in Kandji

Okta Desktop Password Sync is currently in Okta "Early Access" release. See Okta's resource: Manage Early Access and Beta.

Requirements

Okta Requirements

  • Your Okta Identity Engine org is available.
  • Your macOS computers are running a minimum of macOS Ventura (13.0). Version 13.5 is recommended for the best user experience.
  • The Okta Verify authenticator is set up in your org.
  • The Desktop Password Sync application is available for your organization. If you can't locate the Desktop Password Sync app in the app catalog, contact your Okta account representative.
  • Optional: If your org requires biometrics for user authentication, then users must have Touch ID set up before starting the Desktop Password Sync enrollment flow.

Additional Requirements

  • A plain text editor such as Visual Studio Code, Sublime Text, BBEdit, etc.
  • Two mobileconfig files that will be edited and uploaded to Kandji as Custom Profiles.
  • The Okta Verify app added to your Kandji tenant from Apple Business Manager Apps & Books (See Kandji guide here).

Create and configure the Desktop Password Sync app integration in Okta

  1. In the Okta Admin Console, go to Applications > Applications Catalog.
  2. Search for Desktop Password Sync and select the app.
  3. Click Add Integration. If you get an error message saying This feature isn’t enabled, contact your Okta account representative.
  4. Open Desktop Password Sync from your Applications list to configure it.
  5. On the General tab, you can edit the application label or use the default label.
  6. On the Sign on tab, take note of the Client ID. You will need this when creating the Single Sign-On profile.
  7. Assign the app to individual users or groups on the Assignments tab. Users must be assigned the app to use Desktop Password Sync.
  8. Click Save.

Edit the mobileconfig template files

Two mobileconfig files are needed to enable Desktop Password Sync: a Platform SSO configuration profile and an Okta Verify configuration profile. Follow the below steps to edit the provided templates and add them as Custom Profile Library Items in Kandji. You must edit them using a plain text editor such as Visual Studio Code, Sublime Text, BBEdit, etc.

  1. Download the Okta_PSSO_Configuration_Template.mobileconfig file from the Kandji support GitHub repository (GitHub Link).
  2. Download the Okta_Verify_Configuration_Template.mobileconfig file from the Kandji support GitHub repository (GitHub Link).
  3. Open the “Okta_PSSO_Configuration_Template.mobileconfig” file in your text editor and update the following sections:
    1. Update the “AssociatedDomains” section of the Associated Domains payload, replacing the example domain with your own Okta tenant address.

      Example: authsrv:accuhive.okta.com

    2. Update the “URLs” section of the Extensible SSO payload and replace the example domain with your Okta tenant information. Leave the rest of the URL as is.

      Example: accuhive.okta.com

    3. Save the mobileconfig file.

  4. Open the “Okta_Verify_Configuration_Template.mobileconfig” file in your text editor and update the following sections:

    1. Update the OktaVerify.OrgUrl section of the com.okta.mobile payload with your Okta tenant URL.

      Example: https://accuhive.okta.com

    2. Update the “OktaVerify.PasswordSyncClientID” section of the com.okta.mobile payload with the Client ID of your Desktop Password Sync app that you recorded earlier.

    3. Update the “OktaVerify.OrgUrl” section of the com.okta.mobile.auth-service-extension payload with your Okta tenant URL.

    4. Update the “OktaVerify.PasswordSyncClientID” section of the com.okta.mobile.auth-service-extension payload with the Client ID of your Desktop Password Sync app that you recorded earlier.

    5. Save the mobileconfig file.

Create the Custom Profiles in Kandji

  1. In the Kandji Web App, navigate to Library in the left-hand navigation bar.
  2. Click Add New from the top right of the screen.
  3. Find the Custom Profile Library Item and click on it.
  4. Click Add & Configure.
  5. Provide a name for the Library Item.
  6. Assign it to your desired Blueprint(s).
  7. Upload the modified “Okta_PSSO_Configuration_Template.mobileconfig” file.
  8. Click Save.
  9. Repeat steps 1 through 8 for the “Okta_Verify_Configuration_Template.mobileconfig” file.
  10. Ensure the Okta Verify app is assigned to the same Blueprint(s) as the Custom Profile Library Items created earlier.
  11. Once the profiles and Okta Verify app are distributed to your Mac computers, users will be prompted to register and synchronize their Okta password.

On-Device Setup

Prerequisites

  • Before registering Okta Verify and setting up Desktop Password Sync, ensure Touch ID has been set up on your computer.

Initial Registration

  1. After the profiles and Okta Verify are deployed, a notification will be presented showing Registration Required. Click Register.
  2. Enter your current computer password when prompted.
  3. Start the Okta Verify setup process by clicking Set up in the popup window.
  4. You will continue the process in your web browser.
  5. Log into your Okta account in your web browser.
  6. Once your identity is verified you can close your web browser window. You will be prompted to enable Touch ID.
  7. Next, you will be prompted to authenticate to sync your Okta password to your local account. Click Continue.

  8. Click Sign In on the notification that appears.
  9. Enter your Okta password and click Sign in.
  10. You will see a notification letting you know you’re password has been synchronized.

Password Changes

With Platform SSO, by design from Apple, in Users & Groups settings, in the Password field, the Change button is not available. This is to help keep your Mac password in sync with your Okta password. If your Okta password changes, there are a few ways to change your Mac password to match your Okta password.

Until you update your password, you will continue to use your old password to log in to your Mac.

Okta Verify Notification

  1. When you see the Authentication Required notification, click Sign In.
  2. Enter your new Okta password and click Sign In.
  3. You will see a notification that your password has been updated.

Lock Screen

You can use your new Okta password at the macOS Lock Screen (not the FileVault unlock screen or Login Window) which will automatically update the local account password on successful authentication.

System Settings (Sonoma Only)

  1. After your password is changed in Okta, open System Settings and select Users & Groups. Click the info icon next to your user name.
  2. In the Platform Single Sign-on section, click Authenticate.
  3. Enter your new Okta password when prompted.
  4. You will see a notification that your password has been synchronized.