ADSelfService Plus in action
How to set up multi-factor authentication for macOS
When employees are forced to manage multiple passwords, they tend to reuse the same password across multiple applications or create simple, easy-to-remember passwords that are not strong enough. This makes them an easy target for attackers who use brute force and dictionary attacks to gain access to these accounts. ADSelfService Plus, an integrated Active Directory self-service password management and single sign-on solution, addresses this issue by providing multi-factor authentication for macOS logins.
Set up multi-factor authentication for macOS using ADSelfService Plus
Systems running macOS can be configured to authenticate users using multiple factors before allowing them to log in. A user's Active Directory (AD) credentials act as the first factor while additional factors include:
ADSelfService Plus supports 18 different authentication methods for MFA during macOS logins:
- Fingerprint/Face ID Authentication
- YubiKey Authentication
- Google Authenticator
- Microsoft Authenticator
- Azure AD MFA
- Push Notification Authentication, and more
Even if attackers manage to get a user's password, they're unlikely to be able to authenticate themselves through the user's email or phone.
Configure MFA for Mac
For users to be able to reset passwords from their Mac logon screen, the logon agent must be first deployed by the admins on the users' machines.
How to enable MFA for macOS
- Endpoint MFA add-on: Your ADSelfService Plus license must include the Endpoint MFA add-on. Visit the store to purchase the add-on.
- SSL must be enabled: Log in to the ADSelfService Plus web console with admin credentials. Navigate to the Admin tab → Product Settings → Connection. Select the ADSelfService Plus Port [https] option. Refer to this guide to learn how to apply a SSL certificate and enable HTTPS.
- Access URL must be set to HTTPS: Navigate to Admin > Product Settings > Connection > Connection Settings > Configure Access URL and set the Protocol option to HTTPS.
Step 1: Install ADSelfService Plus' macOS login agent through the admin console.
- To install the client software from the ADSelfService Plus admin console, go to Configuration → Administrative Tools → GINA/Mac/Linux (Ctrl+Alt+Del).
- Click GINA/Mac/Linux Installation, and in the New Installation section, choose the required Domain from the drop-down.
- You can also choose the specific organizational units for which the logon agent has to be installed. To do this, click Add OUs to select the required OUs.
- Click Get Computers.
- Choose the computers for which the logon agent needs to be pushed, and click Install.
Step 2: Enable authenticators
- Go to Configuration → Self-Service → Multi-factor Authentication → Authentication Setup.
- Select the desired authenticator that you want to enable.
- Each authenticator comes with its own group of settings. Enter the appropriate information in each field.
- For authenticators like Google, Microsoft, and TOTP, just click Enable.
Step 3: Enable multi-factor authentication for macOS
- Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Endpoints.
- Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users.
- ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
- In the MFA for Machine Login section, check the Enable __ factor authentication box, select the number of authentication methods, and specify which ones you'd like to use from the drop-down.
- Click Save Settings.
Your users' accounts will now have better security, thanks to the endpoint multi-factor authentication provided by ADSelfService Plus.
Some useful features of ADSelfServicePlus
1Single Sign-On (SSO)
2Password Policy Enforcer
3Password expiration notification
Single Sign-On (SSO):
ADSelfService Plus provides Active Directory-based authentication for SAML-enabled enterprise apps to give users access to multiple enterprise applications via SSO.
Password Policy Enforcer:
ADSelfService Plus has numerous options to enforce conditions such as creating passwords with a preset number of unique characters and restricting the use of palindromes, dictionary words, or words with certain patterns.
Password expiration notification:
ADSelf Service Plus keeps track of users' password expiration dates in Active Directory and sends email notifications to users whose passwords are about to expire.
Using ADSelfService Plus, admins can set up a layout with various fields for just the information that they need from users. The users can self-update their Active Directory information, saving valuable help desk time.
Tighten Windows/macOS/Linux logon security with multi-factor authentication.Get Your Free Trial Fully functional 30-day trial