SafeNet Agent for macOS Logon
The SafeNet Agent for macOS Logon is designed to help macOS customers ensure that valuable resources are accessible only by authorized users. It delivers a simplified and consistent user login experience, virtually eliminates help desk calls related to password management, and helps organizations comply with regulatory requirements.
The use of Two-Factor Authentication (2FA) instead of just traditional static passwords to access a macOS environment is a critical step for information security.
Note
The SafeNet Agent for macOS Logon is supported only on the new console logons, and not when unlocking the screen saver or when a user wakes the system from sleep.
Installation and Configuration Overview
The following steps broadly depict the flow of actions for the agent solution:
-
Operator logs in to STA (SafeNet Trusted Access), searches the macOS Logon Agent App within applications, and adds it.
-
Operator downloads the SafeNet Agent for macOS Logon installation and configuration files.
-
Local Administrator installs the SafeNet Agent for macOS Logon.
-
Local Administrator enables the SafeNet Agent for macOS Logon from the Management interface of the agent.
System Requirements
| Networking Environments | AD Server |
| Communication Protocols | Hyper Text Transfer Protocol Secure (HTTPS): Transport Layer Security (TLS) 1.2 and above |
| Network | TCP Port 443 |
| Operating Systems | - Sonoma v14.0 - Ventura v13.0 - Monterey v12.0 NOTE: The agent is expected to be supported for subsequent minor OS versions, assuming they are backward compatible. Support for major OS versions will be added as they release. |
| Processors | - Intel - M1 - M2 |
| Supported Authentication Tokens | All authentication tokens currently supported by STA. |
| Unsupported Tokens in Offline Authentication Mode | - Challenge-response-enabled tokens, SMS, GrIDsure, and time-based tokens. - When using MobilePASS+ in this scenario, the Push OTP feature does not work, but standard One Time Password (OTP) authentication works. |
| SafeNet Trusted Access (STA) Releases | STA |
Note
The agent is compatible with the macOS native FDE tool, FileVault.
Default Configuration
| Mode | Description |
|---|---|
| PUSH authentication | Time-out after 120 seconds |
SafeNet Agent for macOS Logon - Authentication Methods
The macOS Logon Agent offers two types of authentication methods:
Domain Authentication
Domain Authentication refers to the online authentication when the machine is connected to AD. The following diagram describes the authentication flow for a user when machine is connected to domain.
-
After invoking the workstation logon, the user is presented with the macOS Native Logon prompt.
-
On the macOS Native Logon prompt, the user enters user name (if applicable, the logon domain) and Active Directory (AD) password.
-
Then the user is prompted for the second factor authentication, for example, OTP. The user enters the OTP. The entered credentials are then sent to STA for verification.
-
On successful validation of both the Active Directory (AD) and STA credentials, the user is logged on to the workstation.
Offline Authentication
By default, SafeNet Agent for macOS Logon supports offline authentication, which enables users to log on using a STA OTP when there is no connection to STA.
Note
To use offline authentication, the user must have completed one successful online authentication. Also, for Active Directory users, the mobile account needs to be enabled within the system preferences of Mac.
-
After invoking the workstation logon, the offline user is presented with the macOS Logon prompt.
-
The user enters the user name and Active Directory (AD) password.
-
Then the user is prompted for the second factor authentication, for example, OTP. The user enters the OTP. The entered credentials are then verified by the offline authentication OTP stored on the local workstation.
-
On successful validation of both the Active Directory (AD) and STA credentials, the user is logged on to the workstation.
Prerequisites
- Ensure that TCP port 443 is open between the SafeNet Agent for macOS Logon and the STA server.
- Administrative rights to the macOS system are required during installation of the SafeNet Agent for macOS Logon.
- If the user connects via AD, they would need to bind their Microsoft Active Directory account to the macOS machine.
