This article will discuss how to locate and review Okta Device Access logs. In some instances, troubleshooting issues by reviewing the local log file generated by Okta Verify may be helpful or necessary. These logs are generated on both Windows and macOS.
- Okta Identity Engine (OIE)
- Okta Device Access (ODA)
- Desktop MFA (DMFA)
- Desktop Password Sync
- Okta Verify
Review Okta Device Access events in the Okta system log
-
Log into the Okta dashboard and access the Okta admin console.
-
Select Reports > System Log.
-
Search for “Desktop MFA” events. Events related to MFA attempts and Single Sign-On to the Desktop MFA application will be displayed.
- Select an event and click on it to view more information.
Logs collected locally from the impacted system
Windows Desktop MFA
-
Local logs for DMFA can be found under the below path on the impacted machine
c:\windows\system32\config\systemprofile\appdata\local\oktadevice access\logs.
The log files have a formatOktaDeviceAccessLog<yyyymmdd>.txt.
macOS Desktop MFA
-
Logs on the impacted device can be found locally at
/var/log/com.okta.deviceaccess/OktaDeviceAccess.log. -
Alternatively, run the following command from an account with root or sudo access:
> sudo log collect --start "2023-09-18 12:00:00" --output /tmp && tar cvf system_logs.logarchive.tar /tmp/system_logs.logarchive -
The output is stored at
/tmp/system_logs.logarchive.tar
macOS Desktop Password Sync
Okta Verify
-
Find the OktaVerify.log on the macOS device in the following location:
~/Library/Group\ Containers/B7F62B65BN.group.okta.macverify.shared/Logs. -
The filename would be
com.okta.mobile.auth-service-extension <DATE TIME>.log, where<DATE TIME>would involve some date.-
For example:
com.okta.mobile.auth-service-extension 2025-05-8--15-14-12-038.log.
-
A failed to retrieve metadata error usually indicates a typo in the Org URL or Client ID.
AppSSO Agent
If there are issues during registration or the syncing of the password itself. These logs can be vital for support in diagnosing the issue. These logs are generated from macOS and are the main indicators of what is happening during password sync.
To collect these logs:
-
Enable debug logging:
sudo log config --mode "level:debug,persist:debug" --subsystem com.apple.AppSSO -
Reproduce the issue with Desktop Password Sync.
-
Execute the following command within 5 minutes of reproducing the issue. This will generate a file called
AppSSOAgent.txtwhich can be sent to support to diagnose the issue.log show --last 5m | grep -i AppSSOAgent > AppSSOAgent.txt -
Change the logging to normal:
sudo log config --subsystem com.apple.AppSSO --reset
Collect Platform SSO registration logs from Setup Assistant Screen (macOS 26.0)
To troubleshoot PSSO errors that occurred during the Setup Assistant Screen :
- Press
Control+Option+Command+Tto open Terminal before the screen that is experiencing the error. - Use Terminal to stream the various logs related to the process to local files.
- To collect AppSSO logs
log stream --predicate 'subsystem == "com.apple.AppSSO"' --debug | tee ~/sso_logs.log - For Okta Verify logs for PSSO
log stream --predicate '(eventMessage CONTAINS[c] "okta")' --debug | tee ~/oktaverify.log - Once the issue is replicated, go back to terminal and press "
Control+C" to stop log streaming. - View the logs in the terminal or Launch Finder via the same process.
Related References
