Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Agents

SafeNet Agent for macOS Logon Classic

search

Please Note:

printsuggest an edit

SafeNet Agent for macOS Logon Classic

The SafeNet Agent for macOS Logon is designed to help macOS customers ensure that valuable resources are accessible only by authorized users. It delivers a simplified and consistent user login experience, virtually eliminates help desk calls related to password management, and helps organizations comply with regulatory requirements.

The use of Two-Factor Authentication (2FA) instead of just traditional static passwords to access a macOS environment is a critical step for information security.

Note

The SafeNet Agent for macOS Logon is supported only on the new console logons, and not when unlocking the screen saver or when a user wakes the system from sleep.

copy link to clipboardSystem Requirements
Networking Environments AD Server
Communication Protocols Hyper Text Transfer Protocol Secure (HTTPS):
- Secure Sockets Layer (SSL) 2.0 and above
- Transport Layer Security (TLS) 1.2 and above
Network TCP Port 443
Operating Systems - Sonoma v14.0
- Ventura v13.0
- Monterey v12.0
NOTE The agent is expected to be supported for subsequent minor OS versions, assuming they are backward compatible. Support for major OS versions will be added as they release.
Supported Authentication Tokens All authentication tokens currently supported by SafeNet server.
Unsupported Tokens in Offline Authentication Mode - Challenge-response-enabled tokens, SMS, GrIDsure, and time-based tokens.
- When using MobilePASS+ in this scenario, the Push OTP feature does not work, but standard One Time Password (OTP) authentication works.
SAS Releases SAS PCE/SPE 3.14 (and later)

Note

The agent is compatible with the macOS native FDE tool, FileVault.

copy link to clipboardDefault Configuration

Mode Description
PUSH authentication Time-out after 120 seconds

SafeNet Agent for macOS Logon - Authentication Methods The macOS Logon Agent offers two types of authentication methods:

Domain Authentication Offline Authentication Domain Authentication Domain Authentication refers to the online authentication when the machine is connected to AD. The following diagram describes the authentication flow for a user when machine is connected to domain.

copy link to clipboardSafeNet Agent for macOS Logon - Authentication Methods

The macOS Logon Agent offers two types of authentication methods:

copy link to clipboardDomain Authentication

Domain Authentication refers to the online authentication when the machine is connected to AD. The following diagram describes the authentication flow for a user when machine is connected to domain.

alt_text

  1. After invoking the workstation logon, the user is presented with the macOS Native Logon prompt.

  2. On the macOS Native Logon prompt, the user enters user name (if applicable, the logon domain) and Active Directory (AD) password.

  3. Then the user is prompted for the second factor authentication, for example, OTP. The user enters the OTP. The entered credentials are then sent to the SafeNet server for verification.

  4. On successful validation of both the Active Directory (AD) and SafeNet credentials, the user is logged on to the workstation.

copy link to clipboardOffline Authentication

By default, SafeNet Agent for macOS Logon supports offline authentication, which enables users to log on using a SafeNet OTP when there is no connection to the SafeNet server.

Note

To use offline authentication, the user must have completed one successful online authentication. Also, for Active Directory users, the mobile account needs to be enabled within the system preferences of Mac.

alt_text

  1. After invoking the workstation logon, the offline user is presented with the macOS Logon prompt.

  2. The user enters the user name and Active Directory (AD) password.

  3. Then the user is prompted for the second factor authentication, for example, OTP. The user enters the OTP. The entered credentials are then verified by the offline authentication OTP stored on the local workstation.

  4. On successful validation of both the Active Directory (AD) and SafeNet credentials, the user is logged on to the workstation.

copy link to clipboardPrerequisites

  • Ensure that TCP port 443 is open between the SafeNet Agent for macOS Logon and SafeNet server.

  • Administrative rights to the macOS machine are required during installation of the SafeNet Agent for macOS Logon.

  • If the user connects via AD, they need to bind their Microsoft Active Directory account to the macOS machine.

  • Ensure that an Auth Node is configured in the SafeNet server.

On this page