Pricing  Get Quote

ADSelfService Plus in action

How to set up multi-factor authentication for macOS

When employees are forced to manage multiple passwords, they tend to reuse the same password across multiple applications or create simple, easy-to-remember passwords that are not strong enough. This makes them an easy target for attackers who use brute force and dictionary attacks to gain access to these accounts. ADSelfService Plus, an integrated Active Directory self-service password management and single sign-on solution, addresses this issue by providing multi-factor authentication for macOS logins.

Set up multi-factor authentication for macOS using ADSelfService Plus

Systems running macOS can be configured to authenticate users using multiple factors before allowing them to log in. A user's Active Directory (AD) credentials act as the first factor while additional factors include:

ADSelfService Plus supports 18 different authentication methods for MFA during macOS logins:

  • Fingerprint/Face ID Authentication
  • YubiKey Authentication
  • Google Authenticator
  • Microsoft Authenticator
  • Azure AD MFA
  • Push Notification Authentication, and more

Even if attackers manage to get a user's password, they're unlikely to be able to authenticate themselves through the user's email or phone.

Configure MFA for Mac

For users to be able to reset passwords from their Mac logon screen, the logon agent must be first deployed by the admins on the users' machines.

How to enable MFA for macOS


  • Endpoint MFA: Your ADSelfService Plus license must include Endpoint MFA. Visit the store to purchase it.
  • SSL must be enabled: Log in to the ADSelfService Plus web console with admin credentials. Navigate to the Admin tab → Product Settings → Connection. Select the ADSelfService Plus Port [https] option. Refer to this guide to learn how to apply a SSL certificate and enable HTTPS.

    Multi-factor authentication for macOS

  • Access URL must be set to HTTPS: Navigate to Admin > Product Settings > Connection > Connection Settings > Configure Access URL and set the Protocol option to HTTPS.

    Set up multi-factor authentication for Linux logins

Step 1: Install ADSelfService Plus' macOS login agent through the admin console.

  1. To install the client software from the ADSelfService Plus admin console, go to Configuration → Administrative Tools → GINA/Mac/Linux (Ctrl+Alt+Del).
  2. Multi-factor authentication for macOS

  3. Click GINA/Mac/Linux Installation, and in the New Installation section, choose the required Domain from the drop-down.
  4. Multi-factor authentication for macOS

  5. You can also choose the specific organizational units for which the logon agent has to be installed. To do this, click Add OUs to select the required OUs.
  6. Click Get Computers.
  7. Choose the computers for which the logon agent needs to be pushed, and click Install.

Step 2: Enable authenticators

  1. Go to Configuration → Self-Service → Multi-factor Authentication → Authentication Setup.
  2. Multi-factor authentication for macOS

  3. Select the desired authenticator that you want to enable.
  4. Each authenticator comes with its own group of settings. Enter the appropriate information in each field.
  5. For authenticators like Google, Microsoft, and TOTP, just click Enable.
  6. Multi-factor authentication for macOS

Step 3: Enable multi-factor authentication for macOS

  1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Endpoints.

    Multi-factor authentication for macOS

  2. Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users.
  3. Note:

    1. ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
  4. In the MFA for Machine Login section, check the Enable __ factor authentication box, select the number of authentication methods, and specify which ones you'd like to use from the drop-down.
  5. Click Save Settings.

Multi-factor authentication for macOS

Your users' accounts will now have better security, thanks to the endpoint multi-factor authentication provided by ADSelfService Plus.

Some useful features of ADSelfServicePlus

  • 1
    Single Sign-On (SSO)
  • 2
    Password Policy Enforcer
  • 3
    Password expiration notification
  • 4
    Directory self-update

Single Sign-On (SSO):

ADSelfService Plus provides Active Directory-based authentication for SAML-enabled enterprise apps to give users access to multiple enterprise applications via SSO.

Password Policy Enforcer:

ADSelfService Plus has numerous options to enforce conditions such as creating passwords with a preset number of unique characters and restricting the use of palindromes, dictionary words, or words with certain patterns.

Password expiration notification:

ADSelf Service Plus keeps track of users' password expiration dates in Active Directory and sends email notifications to users whose passwords are about to expire.

Directory self-update:

Using ADSelfService Plus, admins can set up a layout with various fields for just the information that they need from users. The users can self-update their Active Directory information, saving valuable help desk time.

Tighten Windows/macOS/Linux logon security with multi-factor authentication.

Get Your Free Trial Fully functional 30-day trial

See this feature inaction now!

By clicking 'Talk to an expert', you agree to processing of personal data according to the Privacy Policy.

ADSelfService Plus trusted by

Embark on a journey towards identity security and Zero Trust
Email Download Link