ADSelfService Plus in action
How to set up multi-factor authentication for macOS
When employees are forced to manage multiple passwords, they tend to reuse the same password across multiple applications or create simple, easy-to-remember passwords that are not strong enough. This makes them an easy target for attackers who use brute force and dictionary attacks to gain access to these accounts. ADSelfService Plus, an integrated Active Directory self-service password management and single sign-on solution, addresses this issue by providing multi-factor authentication for macOS logins.
Set up multi-factor authentication for macOS using ADSelfService Plus
Systems running macOS can be configured to authenticate users using multiple factors before allowing them to log in. A user's Active Directory (AD) credentials act as the first factor while additional factors include:
- Security questions and answers
- Email verification codes
- SMS verification codes
- Google Authenticator
- Microsoft Authenticator
- Duo Security
- RSA SecurID
- RADIUS authentication
- Push notification authentication
- Fingerprint authentication
- QR code-based authentication
- Time-based one-time passcodes (TOTPs)
- SAML authentication
- AD-based secret questions
- YubiKey Authenticator
Even if attackers manage to get a user's password, they're unlikely to be able to authenticate themselves through the user's email or phone.
Configure MFA for Mac
For users to be able to reset passwords from their Mac logon screen, the logon agent must be first deployed by the admins on the users' machines.
How to enable MFA for macOS
- SSL must be enabled: To do this, log in to the ADSelfService Plus web console with admin credentials. Go to the Admin tab → Product Settings → Connection and select the ADSelfService Plus Port [https] option.
Step 1: Install ADSelfService Plus' macOS login agent through the admin console.
- To install the client software from the ADSelfService Plus admin console, go to Configuration → Administrative Tools → GINA/Mac/Linux (Ctrl+Alt+Del).
- Click GINA/Mac/Linux Installation, and in the New Installation section, choose the required Domain from the drop-down.
- You can also choose the specific organizational units for which the logon agent has to be installed. To do this, click Add OUs to select the required OUs.
- Click Get Computers.
- Choose the computers for which the logon agent needs to be pushed, and click Install.
Step 2: Enable authenticators
- Go to Configuration → Self-Service → Multi-factor Authentication → Authentication Setup.
- Select the desired authenticator that you want to enable.
- Each authenticator comes with its own group of settings. Enter the appropriate information in each field.
- For authenticators like Google, Microsoft, and TOTP, just click Enable.
Step 3: Enable multi-factor authentication for macOS
- Go to Configuration → Self-Service → Multi-factor Authentication → MFA/TFA Settings.
- Choose the policy from the dropdown.
- ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
- In the Endpoint MFA section, select the second authentication factor from the drop-down. Multiple authentication methods can be selected here.
- Check the box next to Bypass TFA if ADSelfService Plus is down.
- Click Save Settings.
Your users' accounts will now have better security, thanks to the endpoint multi-factor authentication provided by ADSelfService Plus.
Some useful features of ADSelfServicePlus
1Single Sign-On (SSO)
2Password Policy Enforcer
3Password expiration notification
Single Sign-On (SSO):
ADSelfService Plus provides Active Directory-based authentication for SAML-enabled enterprise apps to give users access to multiple enterprise applications via SSO.
Password Policy Enforcer:
ADSelfService Plus has numerous options to enforce conditions such as creating passwords with a preset number of unique characters and restricting the use of palindromes, dictionary words, or words with certain patterns.
Password expiration notification:
ADSelf Service Plus keeps track of users' password expiration dates in Active Directory and sends email notifications to users whose passwords are about to expire.
Using ADSelfService Plus, admins can set up a layout with various fields for just the information that they need from users. The users can self-update their Active Directory information, saving valuable help desk time.
Tighten Windows/macOS/Linux logon security with multi-factor authentication.Get Your Free Trial Fully functional 30-day trial