This article provides answers to frequently asked questions about Desktop Password Sync.
- For more information about Okta Device Access, refer to Frequently Asked Questions About Okta Device Access
- For more information about Desktop MFA, refer to Frequently Asked Questions About Desktop MFA
Table of Contents
What are the core capabilities of Desktop Password Sync for macOS?
How is Desktop Password Sync different from Apple’s Platform SSO?
What are the main pain points solved by Desktop Password Sync for macOS?
What are the prerequisites to deploy Desktop Password Sync for macOS?
Where can I learn more about the deployment experience for Desktop Password Sync for macOS?
What is stored locally on the desktop with Desktop Password Sync for macOS?
Does Desktop Password Sync support shared macOS computers?
What are Okta’s plans to support Desktop Password Sync for other operating systems?
What password recovery flows are available?
What reporting capabilities are available?
What happens if a user enrolling in Desktop Password Sync already has FastPass?
Is it possible to have password sync but not FastPass?
How frequently will the system check for updated passwords?
When does Desktop Password Sync perform password synchronization?
Can I test or trial Desktop Password Sync?
What are the core capabilities of Desktop Password Sync for macOS?
- To sign in to your macOS account with your Okta password by syncing passwords
- To provide an easy enrollment flow for password sync that also sets up Okta Verify and FastPass
- To auto-enroll users to FastPass to provide secure and passwordless access to all their apps after device sign-in
NOTE: Implementing Desktop Password Sync DOES NOT remove the Touch ID capability to unlock a Mac. Users can still use Touch ID to passwordlessly unlock their computer.
How is Desktop Password Sync different from Apple’s Platform SSO?
During Apple’s 2022 Worldwide Developers Conference (WWDC), they announced a new framework or extension called Platform Single Sign-On. This extension enables many capabilities, including the ability for identity providers (IdP) to sync the macOS local password with the IdP password. With Desktop Password Sync for macOS, Okta was the first to offer capabilities based on Apple’s framework for IdPs.
Okta built upon Apple’s Platform SSO to provide device password synchronization and automatic FastPass enrollment so that organizations can simplify credential management and deploy passwordless authentication to any Okta-managed app for a better and more secure experience for users. Desktop Password Sync for macOS will allow users to seamlessly login to all apps with access requests automatically forwarded from any browser or app to FastPass, which silently signs in the user, prompts the user for Touch ID, or requires the user to click on a browser prompt.
Platform SSO is Apple's attempt in making a desktop single sign-on experience available for macOS. You can read about the feature here. Okta has plans to continue to build on top of this extension to support a wide variety of device access capabilities for macOS.
What are the main pain points solved by Desktop Password Sync for macOS?
Simplify password management for macOS
- By synchronizing the local macOS password with the Okta password, organizations can eliminate another password for users and admins to remember and manage. This reduces the mental burden of password management for all. In addition, this extended use of the IdP password helps enforce a strong and consistent password policy from device to apps.
Protect the business
- Implementing Desktop Password Sync can protect the business by balancing security with convenience by enrolling users in FastPass. By auto-enrolling users to FastPass, users have secure and passwordless access to all their Okta-protected resources. FastPass minimizes end-user friction while increasing security standards with a phishing-resistant authenticator and adaptive policy checks that enable a stronger Zero Trust posture. Also, by binding the passwords for all your devices to a market-leading cloud IdP such as Okta, organizations are integrating identity tightly from devices to apps to drive more comprehensive controls.
What are the prerequisites to deploy Desktop Password Sync for macOS?
Please refer to the product documentation to learn more.
Where can I learn more about the deployment experience for Desktop Password Sync for macOS?
Refer to the product documentation to learn more.
What is stored locally on the desktop with Desktop Password Sync for macOS?
Stored locally on the operating system:
- Private key used for signing the Platform SSO requests
- Private key used for decrypting the Platform SSO responses
- Okta username and password
- Configuration metadata (e.g., orgUrl, okta API urls, client id)
- SCEP certificate with private key used for identifying the device when enrolling in Platform SSO
Stored on the server side with Okta:
- Corresponding signing public key
- Corresponding encrypting public key
Does Desktop Password Sync support shared macOS computers?
If a macOS system has multiple local accounts, Desktop Password Sync is deployed to the system via the MDM profile and applies to all local accounts. Desktop Password Sync can support multiple local accounts on the same device, but users must go through the registration flow for each local account. Each local account gets linked to only one Okta account (i.e., user profile), and that is the Okta account used during the registration flow.
What are Okta’s plans to support Desktop Password Sync for other operating systems?
Currently, this feature only supports macOS. Today, Okta does support password sync from Okta to AD via the Okta Active Directory (AD) agent, which requires additional permissions to write the new password to AD.
What password recovery flows are available?
Currently, there are no net new password recovery flows. However, the user can change the Okta password using existing password recovery/reset options via a second device.
What reporting capabilities are available?
Events will be recorded as part of Okta’s syslogs, and everything already available with Okta Verify and FastPass will remain available. In addition, OS logs can be extracted with the help of an MDM.
What happens if a user enrolling in Desktop Password Sync already has FastPass?
If the user isn’t enrolled in FastPass, they will do so during the enrollment process for Desktop Password Sync. However, if the user is already enrolled in FastPass, the process will just perform a flow to update Okta Verify with Desktop Password Sync registration and keys.
Is it possible to have password sync but not FastPass?
Currently, the enrollment for Desktop Password Sync is an all-or-nothing enrollment. Users will register for password sync and FastPass automatically. However, password sync and FastPass are not dependent on each other to work. It is possible for an admin to allow users to not use FastPass and still enable password sync.
How frequently will the system check for updated passwords?
macOS will make a network request to verify the password is still synced with Okta when the user logs in or unlocks. Passwords can also be synced from the FileVault screen.
When does Desktop Password Sync perform password synchronization?
Here are the major password sync flows (internet connection must be available):
| Scenario | Behavior |
|---|---|
| User completes PSSO registration | Password sync happens (i.e., the user sees sign-in notification) as part of the registration process |
| User changes local account password |
Password sync happens
|
| User changes IdP password |
Password sync happens
|
Can I test or trial Desktop Password Sync?
Yes. Please reach out to your Okta account team to learn more.
