ADSelfService Plus in action

How to set up multi-factor authentication for macOS

When employees are forced to manage multiple passwords, they tend to reuse the same password across multiple applications or create simple, easy-to-remember passwords that are not strong enough. This makes them an easy target for attackers who use brute force and dictionary attacks to gain access to these accounts. ADSelfService Plus, an integrated Active Directory self-service password management and single sign-on solution, addresses this issue by providing multi-factor authentication for macOS logins.

Set up multi-factor authentication for macOS using ADSelfService Plus

Systems running macOS can be configured to authenticate users using multiple factors before allowing them to log in. A user's Active Directory (AD) credentials act as the first factor while additional factors include:

ADSelfService Plus supports 20 different authentication methods for MFA during macOS logins:

• Biometric Authentication
• YubiKey Authentication
• Google Authenticator
• Microsoft Authenticator
• Azure AD MFA
• Push Notification Authentication

Find the complete list of supported authenticators here.

Even if attackers manage to get a user's password, they're unlikely to be able to authenticate themselves through the user's email or phone.

Configure MFA for Mac

For users to be able to reset passwords from their Mac logon screen, the logon agent must be first deployed by the admins on the users' machines.

How to enable MFA for macOS

Prerequisites

• Endpoint MFA: Your ADSelfService Plus license must include Endpoint MFA. Visit the store to purchase it.
• SSL must be enabled: Log in to the ADSelfService Plus web console with admin credentials. Navigate to the Admin tab → Product Settings → Connection. Select the ADSelfService Plus Port [https] option. Refer to this guide to learn how to apply a SSL certificate and enable HTTPS.

  

• Access URL must be set to HTTPS: Navigate to Admin > Product Settings > Connection > Connection Settings > Configure Access URL and set the Protocol option to HTTPS.

  

Step 1: Install ADSelfService Plus' macOS login agent through the admin console.

1. To install the client software from the ADSelfService Plus admin console, go to Configuration → Administrative Tools → GINA/Mac/Linux (Ctrl+Alt+Del).



2. Click GINA/Mac/Linux Installation, and in the New Installation section, choose the required Domain from the drop-down.



3. You can also choose the specific organizational units for which the logon agent has to be installed. To do this, click Add OUs to select the required OUs.
4. Click Get Computers.
5. Choose the computers for which the logon agent needs to be pushed, and click Install.

Step 2: Enable authenticators

1. Go to Configuration → Self-Service → Multi-factor Authentication → Authentication Setup.



2. Select the desired authenticator that you want to enable.
3. Each authenticator comes with its own group of settings. Enter the appropriate information in each field.
4. For authenticators like Google, Microsoft, and TOTP, just click Enable.

Step 3: Enable multi-factor authentication for macOS

1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Endpoints.

   

2. Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users.

Note:

1. ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
3. In the MFA for Machine Login section, check the Enable __ factor authentication box, select the number of authentication methods, and specify which ones you'd like to use from the drop-down.
4. Click Save Settings.

Your users' accounts will now have better security, thanks to the endpoint multi-factor authentication provided by ADSelfService Plus.

Some useful features of ADSelfServicePlus