How to enable MFA for Windows, macOS, and Linux

You can apply MFA for Windows, macOS, and Linux machines in two ways:

Note: The Professional edition of ADSelfService Plus with Endpoint MFA is required for machine MFA to work on Windows server machines. If not, MFA will be bypassed on Windows servers.

Machines can be secured by MFA in one of two ways:



Prerequisites for offline MFA

Steps to enable MFA for Windows, macOS, and Linux machines

  1. Go to Configuration > Self-Service > Multi-factor Authentication > MFA for Endpoints.
  2. Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users.
  3. ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
  4. In the MFA for Machine Login section, check the box to enable MFA for Machine Login and select the number of authentication factors to be prompted. Select the authentication method from the drop-down.
  5. Select the Choose Authenticators for Offline Machine Login MFA option and select the authentication methods you prefer for offline MFA from the drop-down. The following authenticators are supported:
    • Google Authenticator
    • Microsoft Authenticator
    • Custom time-based one-time password (TOTP) authenticator
    • Zoho OneAuth TOTP

    To force users to enroll for authenticators selected here, choose the Force enrollment option in this advanced setting.

  6. Click Save Settings.
  7. Note:

    • If offline MFA isn't configured or a user's machine isn't enrolled for offline MFA, offline access is denied unless:
      • The Skip MFA when the ADSelfService Plus server is down or unreachable setting is enabled. This setting can be found under Configuration > Self-Service > Multi-factor Authentication > Advanced > Endpoint MFA > Machine Login MFA.
      • Machine-based MFA is not enforced for that machine. The Manage MFA setting under Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines is set to Exempt.

      To avoid degrading security by bypassing MFA or hampering productivity by denying access when offline, it is recommended to enable offline MFA.

    • Changes to the offline MFA configuration, advanced settings, enrollment data, and disenrollment of the machine from offline MFA will be reflected only after the next successful online MFA attempt in that machine.
    • Learn how to enable local language support for MFA for Windows.


Enrolling Windows machines for offline MFA

How to enable MFA for Windows, macOS, and Linux

Authenticator enrollment by users

Once offline MFA is configured, after a user completes online MFA via the login agent or in the ADSelfService Plus portal, they will be prompted to enroll for authenticators configured for offline MFA if not yet enrolled.

Machine enrollment for offline MFA

After online MFA is completed, depending on advanced setting configuration, the user's machine will either be automatically enrolled for offline MFA, or they will have to choose between enrolling their machine and skipping enrollment.

Once the machine is enrolled for offline MFA for the specific user, the user's authenticator enrollment data will be securely transmitted from the ADSelfService Plus server and stored as encrypted data in the specific machine for offline MFA. This process will repeat regularly to keep the authenticator data up to date.

The device enrolled for offline MFA can be disenrolled by the admins or the end users if required.

How does offline MFA work?

How to enable MFA for Windows, macOS, and Linux

  1. The user enters their credentials to log in to their machine.
  2. If primary authentication is successful, the ADSelfService Plus login agent installed in the machine tries to access the ADSelfService Plus server to initiate MFA but fails due to lack of connectivity.
  3. The login agent then initiates offline MFA.
  4. If the user completes the required authentication levels successfully, they are logged into the machine.


Your request has been submitted to the ADSelfService Plus technical support team. Our technical support people will assist you at the earliest.


Need technical assistance?

  • Enter your email ID
  • Talk to experts
  • By clicking 'Talk to experts' you agree to processing of personal data according to the Privacy Policy.

Don't see what you're looking for?


    Visit our community

    Post your questions in the forum.


    Request additional resources

    Send us your requirements.


    Need implementation assistance?

    Try onboarding


Copyright © 2024, ZOHO Corp. All Rights Reserved.