<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
macOS Desktop MFA Recovery Troubleshooting
Jan 21, 2026
Okta Device Access
Okta Identity Engine
Overview

This article provides steps for troubleshooting common macOS Desktop MFA Recovery PIN issues.

Applies To
  • Okta Device Access (ODA)
  • Desktop MFA Recovery
  • macOS
  • Okta Identity Engine
Cause

Errors with Desktop MFA Recovery PIN are usually caused by Device Access SCEP certificates, the configuration for which can be validated in the Okta Manual Chapter: Device Access SCEP certificates

Errors can also appear if the Admin does not have the necessary permissions outlined in the manual chapter: Standard administrator roles and permissions: Devices.

See the Windows Desktop MFA Recovery troubleshooting guide

Solution

A recovery PIN cannot be generated from the Admin Console.

Recovery PIN

Below are possible solutions if the admin is seeing the above error: 

  1. Ensure the prerequisites mentioned in the Desktop MFA Recovery guide are completed.

  2. The device is registered for recovery the next time a user logs in after enrolling in DMFA. The device needs to be online for registration. Until then, the admin console will show an error if an admin tries to generate a recovery pin for that user. 

  3. Failure to register a device: 

System logs can be found in /var/log/com.okta.deviceaccess/OktaDeviceAccess.log on macOS devices

If the device registration step fails (during registration of the recovery code), it may be due to an issue with the SCEP certificates. Refer to the Okta Help Page to make sure the SCEP profile is correctly configured.

Users can verify if the correct SCEP profile is installed on the device:

On MacOS

By navigating to Settings > General > Device Management > Profiles.

Profiles

 

The user can open the profile and verify details.

Profile and Verify Details

 

The user can also see the certificate installed under Keychain Access System > Certificates.

Keychain Access

Certificate Extension

On Windows

Verifying Device Management SCEP Certificate Installed Successfully on Desktop OS

If the below error is seen, it likely means that there are no Device Access SCEP certificates on the device, or it may be invalid:

>{ "Recovery-Management": {"message": "Creating a new recovery enrollment", "defaultProperties": "", "location": "RecoveryManager.swift:registerRecoverySecret():96"}}

>{ "Recovery-Management": {"message": "Registration failed: Error Domain=OktaDAServiceDaemon Code=19 "Cert error: JWT generation failed with: genericError("Error generating management hint: noMatchingCertificate.")" UserInfo={NSLocalizedDescription=Cert error: JWT generation failed with: genericError("Error generating management hint: noMatchingCertificate.")}", "defaultProperties": "", "location": "CommunicationsManager.swift:registerRecoverySecret():319"}}

 

If the following error is seen, it likely means that DMFA has found an SCEP certificate, but the back-end considers it invalid. This could happen if the device is deleted from the admin console.

{"Recovery-Management": {"message": "Registration failed: Error Domain=OktaDAServiceDaemon Code=19 "Registration error: Response decoding failed with: keyNotFound(CodingKeys(stringValue: "id", intValue: nil), Swift.DecodingError.Context(codingPath: [], debugDescription: "No value associated with key CodingKeys(stringValue: \"id\", intValue: nil) (\"id\").", underlyingError: nil))" UserInfo={NSLocalizedDescription=Registration error: Response decoding failed with: keyNotFound(CodingKeys(stringValue: "id", intValue: nil), Swift.DecodingError.Context(codingPath: [], debugDescription: "No value associated with key CodingKeys(stringValue: \"id\", intValue: nil) (\"id\").", underlyingError: nil))}", "defaultProperties": "", "location": "CommunicationsManager.swift:registerRecoverySecret():281"}}

 

If the device is deleted from the admin console, follow these steps:

    1. Uninstall the SCEP profile.
    2. Validate that the OS has removed the certificates from the keychain(macOS) or managed user/computer certificates(Windows).
    3. Reinstall the SCEP profile to get new certificates.

 

Admin does not see the option to generate a recovery PIN

  • Validate that the Administrator account has the required permission as mentioned in Prerequisites.
  • If using a custom admin role, the Generate device recovery PIN permission is required.
  • Ensure that Enable Device Recovery PIN for Desktop MFA is set to Enabled. In the Okta admin console, navigate to Security > General.
    Enable Device Recovery Pin  

Related References

Recommended content

Still looking for help?
Loading
macOS Desktop MFA Recovery Troubleshooting