Pricing  Get Quote

ADSelfService Plus in action

How to set up multi-factor authentication for macOS

When employees are forced to manage multiple passwords, they tend to reuse the same password across multiple applications or create simple, easy-to-remember passwords that are not strong enough. This makes them an easy target for attackers who use brute force and dictionary attacks to gain access to these accounts. ADSelfService Plus, an integrated Active Directory self-service password management and single sign-on solution, addresses this issue by providing multi-factor authentication for macOS logins.

Set up multi-factor authentication for macOS using ADSelfService Plus

Systems running macOS can be configured to authenticate users using multiple factors before allowing them to log in. A user's Active Directory (AD) credentials act as the first factor while additional factors include:

  • Security questions and answers
  • Email verification codes
  • SMS verification codes
  • Google Authenticator
  • Microsoft Authenticator
  • Duo Security
  • RSA SecurID
  • RADIUS authentication
  • Push notification authentication
  • Fingerprint authentication
  • QR code-based authentication
  • Time-based one-time passcodes (TOTPs)
  • SAML authentication
  • AD-based secret questions
  • YubiKey Authenticator

Even if attackers manage to get a user's password, they're unlikely to be able to authenticate themselves through the user's email or phone.

Configure MFA for Mac

For users to be able to reset passwords from their Mac logon screen, the logon agent must be first deployed by the admins on the users' machines.

How to enable MFA for macOS


  • SSL must be enabled: To do this, log in to the ADSelfService Plus web console with admin credentials. Go to the Admin tab → Product Settings → Connection and select the ADSelfService Plus Port [https] option.
  • Multi-factor authentication for macOS

Step 1: Install ADSelfService Plus' macOS login agent through the admin console.

  1. To install the client software from the ADSelfService Plus admin console, go to Configuration → Administrative Tools → GINA/Mac/Linux (Ctrl+Alt+Del).
  2. Multi-factor authentication for macOS

  3. Click GINA/Mac/Linux Installation, and in the New Installation section, choose the required Domain from the drop-down.
  4. Multi-factor authentication for macOS

  5. You can also choose the specific organizational units for which the logon agent has to be installed. To do this, click Add OUs to select the required OUs.
  6. Click Get Computers.
  7. Choose the computers for which the logon agent needs to be pushed, and click Install.

Step 2: Enable authenticators

  1. Go to Configuration → Self-Service → Multi-factor Authentication → Authentication Setup.
  2. Multi-factor authentication for macOS

  3. Select the desired authenticator that you want to enable.
  4. Each authenticator comes with its own group of settings. Enter the appropriate information in each field.
  5. For authenticators like Google, Microsoft, and TOTP, just click Enable.
  6. Multi-factor authentication for macOS

Step 3: Enable multi-factor authentication for macOS

  1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA/TFA Settings.
  2. Multi-factor authentication for macOS

  3. Choose the policy from the dropdown.
  4. Note:

    1. ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
  5. In the Endpoint MFA section, select the second authentication factor from the drop-down. Multiple authentication methods can be selected here.
  6. Check the box next to Bypass TFA if ADSelfService Plus is down.
  7. Click Save Settings.

Multi-factor authentication for macOS

Your users' accounts will now have better security, thanks to the endpoint multi-factor authentication provided by ADSelfService Plus.

Some useful features of ADSelfServicePlus

  • 1
    Single Sign-On (SSO)
  • 2
    Password Policy Enforcer
  • 3
    Password expiration notification
  • 4
    Directory self-update

Single Sign-On (SSO):

ADSelfService Plus provides Active Directory-based authentication for SAML-enabled enterprise apps to give users access to multiple enterprise applications via SSO.

Password Policy Enforcer:

ADSelfService Plus has numerous options to enforce conditions such as creating passwords with a preset number of unique characters and restricting the use of palindromes, dictionary words, or words with certain patterns.

Password expiration notification:

ADSelf Service Plus keeps track of users' password expiration dates in Active Directory and sends email notifications to users whose passwords are about to expire.

Directory self-update:

Using ADSelfService Plus, admins can set up a layout with various fields for just the information that they need from users. The users can self-update their Active Directory information, saving valuable help desk time.

Tighten Windows/macOS/Linux logon security with multi-factor authentication.

Get Your Free Trial Fully functional 30-day trial

See this feature inaction now!

By clicking 'Talk to an expert', you agree to processing of personal data according to the Privacy Policy.

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Email Download Link