Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Agents

SafeNet Agent for macOS Logon Classic 2.2.0

search

Please Note:

SafeNet Agent for macOS Logon Classic 2.2.0

The SafeNet Agent for macOS Logon is designed to help macOS customers ensure that valuable resources are accessible only by authorized users. It delivers a simplified and consistent user login experience, virtually eliminates help desk calls related to password management, and helps organizations comply with regulatory requirements.

The use of Two-Factor Authentication (2FA) instead of just traditional static passwords to access a macOS environment is a critical step for information security.

Note

The SafeNet Agent for macOS Logon is supported only on the new console logons, and not when unlocking the screen saver or when a user wakes the system from sleep.

System Requirements
Networking Environments AD Server
Communication Protocols Hyper Text Transfer Protocol Secure (HTTPS):
- Secure Sockets Layer (SSL) 2.0 and above
- Transport Layer Security (TLS) 1.2 and above
Network TCP Port 443
Operating Systems - Sonoma v14.0
- Ventura v13.0
- Monterey v12.0
NOTE The agent is expected to be supported for subsequent minor OS versions, assuming they are backward compatible. Support for major OS versions will be added as they release.
Supported Authentication Tokens All authentication tokens currently supported by SafeNet server.
Unsupported Tokens in Offline Authentication Mode - Challenge-response-enabled tokens, SMS, GrIDsure, and time-based tokens.
- When using MobilePASS+ in this scenario, the Push OTP feature does not work, but standard One Time Password (OTP) authentication works.
SAS Releases SAS PCE/SPE 3.14 (and later)

Note

The agent is compatible with the macOS native FDE tool, FileVault.

Default Configuration

Mode Description
PUSH authentication Time-out after 120 seconds

SafeNet Agent for macOS Logon - Authentication Methods The macOS Logon Agent offers two types of authentication methods:

Domain Authentication Offline Authentication Domain Authentication Domain Authentication refers to the online authentication when the machine is connected to AD. The following diagram describes the authentication flow for a user when machine is connected to domain.

SafeNet Agent for macOS Logon - Authentication Methods

The macOS Logon Agent offers two types of authentication methods:

Domain Authentication

Domain Authentication refers to the online authentication when the machine is connected to AD. The following diagram describes the authentication flow for a user when machine is connected to domain.

alt_text

  1. After invoking the workstation logon, the user is presented with the macOS Native Logon prompt.

  2. On the macOS Native Logon prompt, the user enters user name (if applicable, the logon domain) and Active Directory (AD) password.

  3. Then the user is prompted for the second factor authentication, for example, OTP. The user enters the OTP. The entered credentials are then sent to the SafeNet server for verification.

  4. On successful validation of both the Active Directory (AD) and SafeNet credentials, the user is logged on to the workstation.

Offline Authentication

By default, SafeNet Agent for macOS Logon supports offline authentication, which enables users to log on using a SafeNet OTP when there is no connection to the SafeNet server.

Note

To use offline authentication, the user must have completed one successful online authentication. Also, for Active Directory users, the mobile account needs to be enabled within the system preferences of Mac.

alt_text

  1. After invoking the workstation logon, the offline user is presented with the macOS Logon prompt.

  2. The user enters the user name and Active Directory (AD) password.

  3. Then the user is prompted for the second factor authentication, for example, OTP. The user enters the OTP. The entered credentials are then verified by the offline authentication OTP stored on the local workstation.

  4. On successful validation of both the Active Directory (AD) and SafeNet credentials, the user is logged on to the workstation.

Prerequisites

  • Ensure that TCP port 443 is open between the SafeNet Agent for macOS Logon and SafeNet server.

  • Administrative rights to the macOS machine are required during installation of the SafeNet Agent for macOS Logon.

  • If the user connects via AD, they need to bind their Microsoft Active Directory account to the macOS machine.

  • Ensure that an Auth Node is configured in the SafeNet server.

On this page