<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Troubleshooting Desktop Password Sync for macOS
Dec 24, 2025
Okta Identity Engine
Okta Device Access

Overview

This article provides resolutions for common issues with Desktop Password Sync for macOS.

Solution

Resolve password issues

If there is a Mobile Device Management (MDM) password policy (for example, a minimum password length) and the user's Okta password does not satisfy the requirements, the password sync fails. The user sees Apple's visual indicator that the password is incorrect, even if the credentials are entered correctly. To work around this issue, try one of the following methods:

 

  • Change the MDM password policy to match the Okta password requirements.
  • Change the Okta password requirements to match the MDM password policy. See Configure the password authenticator.
  • Ask users to sign in to the End-User Dashboard and update their Okta password to meet the MDM policy requirements.
  • Ask users not to reuse old passwords.
  • Disable the macOS account password expiration option in MDM.

 

Resolve registration issues

If users are experiencing registration issues and cannot complete the registration steps, the user needs to re-register their device and go through the registration process again.

NOTE: Deleting a device or user does not reset the registration. Follow the steps for the appropriate operating system to reset a registration.

  1. In MDM, look for the Desktop Password Sync configuration profile created.
  2. Open the profile and click Edit.
  3. On the Scope tab, remove the target for the device to be reset.
  4. Save the changes.
  5. Redistribute the profile to all devices.
  6. On the macOS device, confirm that the profile has been removed from Privacy & Security Profiles.
  7. Ensure that all Desktop Password Sync profiles, including preference domain,SSO extension and SCEP certificate profile , have been removed.
  8. Restart the device.
  9. In MDM, reassign all Desktop Password Sync profiles to the device.
  10. On the macOS device, confirm that the profiles are pushed to the device successfully.
  11. Wait for the registration request notification, and then register the device 

NOTE: Registration will fail if a user tries to register the same Okta account on multiple local accounts on the same device. 

  • Okta users can only enroll in one local account per device.
  • If the user needs to change the local account that they are linked to, please follow the steps above to fully reset PSSO on the device, and then re-enroll.

 

Running PSSO on macOS 13.x Ventura

If running Desktop Password Sync on macOS 13.x (Ventura), it is not possible to take advantage of the PSSO 2.0 protocol enhancements. It is important to understand that the deployed MDM profile must reflect this. In particular, the “shared keys” feature should be disabled. If the “shared keys” feature is enabled on Ventura, Desktop Password Sync will not work, and the following error will be seen in the logs: 

 

On macOS Ventura and earlier, PSSO 2.0 is not supported.

 

Missing Protocol Key

If running Desktop Password Sync on macOS 14.x or higher and the "Shared keys (true)  protocol version (1.0) mismatch" error is seen, then it is necessary to specify the protocol version key in the MDM payload. Please add the following to the MDM config:

<key>PlatformSSO.ProtocolVersion</key>
<string>2.0</string>

 

Known Issues 

  • Password sync at the login screen takes around 40 seconds. This is a known macOS issue fixed in macOS 15.0+
  • If the local password is changed manually, the user will be prompted to enter the existing password in a keychain prompt when performing password sync at logon screen. It is recommended to deploy the profile to block password reset feature from system setting.
    • Please deploy the com.apple.preference.security profile listed in Create a device management profile.
    • However, note that this still allows the user to change their password from the command line, and thus the user can encounter the mentioned issue.
  • In Okta Verify 9.19, Desktop Password Sync Registration will fail if multiple Okta users are trying to enroll in a single local account. This stands true even if the Device is brought to a clean state by removing PlatformSSO profiles. To resolve this, execute the following command: 
    rm ~/Library/Group\ Containers/B7F62B65BN.group.okta.macverify.shared/Library/deviceSSO/deviceSSO.db

 

  • Using Okta Desktop Password Sync with other password syncing solutions can cause rate limit issues and other unexpected behavior. To resolve this issue, disable other solutions that synchronize the local account password with Okta.
  • If a user performs an action that wipes the keychain, it also removes the Desktop Password Sync registration, which puts the application in an invalid state. To resolve this issue, users need to complete the registration reset steps outlined for the appropriate macOS version. These are some examples of actions that can wipe the keychain:
    • A password reset using recovery flow.
    • Reinstalling or resetting the operating system.
    • Manually deleting the keychain.
  • If a user's password is in an invalid state, Desktop Password Sync could fail to sync. These are some actions that can lead to an invalid password state:
    • Expired passwords.
    • User is locked out due to multiple invalid password attempts.
    • Admin has forced the user to reset their current password, and the user has not yet created a password.
    • Admin has created a temporary one-time password, and the user has not yet updated the password.
  • Customers deploying Desktop Password Sync on non-English macOS computers should deploy Okta Verify version 9.1.0 or newer. Previous versions of Okta Verify may fail to complete enrollment on macOS computers using languages other than English.
  • In Okta Verify version 9.0, the Desktop Password Sync registration fails if the org has a custom domain. The issue has been resolved in Okta Verify version 9.1. If registration errors are encountered, ensure that Okta Verify version 9.1 is used.
  • If Okta Verify and Desktop Password Sync are running, when trying to delete the app, an error is displayed stating that the app cannot be deleted due to extensions running. To work around this issue, upgrade macOS to version 13.5, or try the following steps:
  1. Quit the Okta Verify app.
  2. Quit Okta Verify's SSO extension (SSOe):
    1. In terminal, enter the command: 
      ps -ax | grep AppSSOAgent
    2. If there is only one entry in the list of results, then Okta Verify's SSOe is not running.
    3. If there is more than one entry, copy the pid of the first one.
    4. In a terminal, enter the command: 
      kill <pid>
    5. Run the ps -ax | grep AppSSOAgent command again and ensure that only one entry is seen.
  3. Delete the Okta Verify app.

   

Related References

Recommended content

Still looking for help?
Loading
Troubleshooting Desktop Password Sync for macOS