Skip to main content
This guide applies to Mac computers

About Okta Desktop Password Sync and Platform SSO

Okta Desktop Password Sync with Platform Single Sign-On (SSO) in Iru Endpoint keeps local macOS passwords aligned with Okta and extends Okta sign-in to the macOS login window.

How It Works

Okta Desktop Password Sync is currently in Okta “Early Access” release. See Okta’s resource: Manage Early Access and Beta.
Deploy Desktop Password Sync with the Okta Verify Auto App Library Item. If the App Store version of Okta Verify is already on your Blueprint, see Switch to the Okta Verify Auto App later in this guide.

Requirements

Okta Requirements

  • You use Okta Identity Engine.
  • Your macOS computers must run macOS 14 Sonoma or later, which supports Platform SSO 2.0 and Desktop Password Sync from the login window.
  • The Desktop Password Sync application is available for your organization in Okta. If you can’t locate the Desktop Password Sync app in the app catalog, contact your Okta account representative.
  • The Okta Verify authenticator is set up in your org.
  • An Okta Verify Auto App Library Item in your Library, assigned to the Blueprints where you deploy Desktop Password Sync.

Additional Requirements

  • Two Custom Profile mobileconfig templates from this guide (see Edit the mobileconfig template files) and a Single Sign-on Extension Library Item for Okta Platform SSO (see Configure the Okta Platform SSO Single Sign-on Extension Library Item).

FileVault Support for macOS 15+

Okta authentication policies can require stronger checks on macOS 15 and later, including the FileVault interface during Desktop Password Sync. Configure that in Okta; see FileVault network requirements.

Create Device Access SCEP Certificates

Configure a Desktop SCEP Certificate Authority in Okta

1

Access Okta Admin Portal

Log in to your Okta admin portal.
2

Navigate to Security

In the left-hand navigation, select Security.
3

Select Device Integrations

In the expanded menu, select Device Integrations.
4

Select Device Access

In the Device Integration pane, select Device Access.
5

Add SCEP Configuration

Click Add SCEP configuration.
6

Select Static SCEP URL

Select Static SCEP URL.
7

Generate Configuration

Click Generate.
8

Copy SCEP URL

Copy the SCEP URL.
9

Copy Secret Key

Copy the Secret key.Record the secret key now. This is the only time you can view it. Okta stores a hash afterward.
10

Save Configuration

Click Save.
11

Reset Secret Key (Optional)

If you need to Reset the secret key, you can do so from the Actions menu to the right of the integration.

Add the SCEP Library Item

To add this Library Item to your Iru Endpoint Library, see the Library Overview article.

Configure the SCEP Library Item

1

Name the Library Item

Name the Library Item.
2

Assign to Blueprints

Assign it to your desired Blueprints.
3

Configure SCEP URL

In the URL field, paste the SCEP server URL you copied earlier.
4

Enter Name (Optional)

Enter a Name (optional).
5

Configure Challenge

In the Challenge field, paste the secret key you copied earlier.
6

Set Subject

In the Subject field, enter CN=$SERIAL_NUMBER.When you save the SCEP Library Item, Iru Endpoint appends the PROFILE_UUID to the CN.
7

Configure Subject Alternative Name

Set Subject Alternative Name type to None.
8

Set Key Size

For Key Size, select 2048.
9

Set Key Usage

For Key Usage, select Signing.
10

Configure Retries

Select Retries and enter 5. Change this if your environment needs a different retry count.
11

Configure Retry Delay

Select Retry delay and enter 30 seconds. Change this if your environment needs a different delay.
12

Enable Private Key Access

Select Allow apps to access the private key.
13

Prevent Key Extraction

Select Prevent the private key data from being extracted in the keychain.
14

Configure Automatic Redistribution

Select Automatic profile redistribution and enter 30 days before the certificate expires. Change this if your environment needs a different interval.
15

Save Configuration

Click Save.
For more information about the Iru Endpoint SCEP Library Item, see Configure the SCEP Library Item.

Create and Configure the Desktop Password Sync App Integration in Okta

1

Access Applications Catalog

In the Okta Admin Console, go to Applications > Applications Catalog.
2

Search for Desktop Password Sync

Search for Desktop Password Sync and select the app.
3

Add Integration

Click Add Integration. If you see This feature isn’t enabled, contact your Okta account representative.
4

Open Application Configuration

Open Desktop Password Sync from your Applications list to configure it.
5

Configure General Settings

On the General tab, you can edit the application label or use the default label.
6

Record Client ID

On the Sign on tab, record the Client ID. You need it when you edit the Okta Verify mobileconfig template.
7

Assign Users or Groups

Assign the app to individual users or groups on the Assignments tab. Users must be assigned the app to use Desktop Password Sync.
8

Save Configuration

Click Save.

Edit the Mobileconfig Template Files

Download and edit these two mobileconfig templates with a plain text editor such as Visual Studio Code, Sublime Text, or BBEdit:
  • Okta_Associated_Domains_Configuration_Template.mobileconfig — Associated Domains for Okta Verify and the auth-service extension
  • Okta_Verify_Configuration_Template.mobileconfig — Okta tenant URL and Desktop Password Sync client ID for Okta Verify and the auth-service extension
Upload each finished file as a Custom Profile Library Item in Add Library Items in Iru Endpoint.
1

Download Associated Domains Template

Download Okta_Associated_Domains_Configuration_Template.mobileconfig from the support GitHub repository (GitHub).
2

Download Okta Verify Template

Download Okta_Verify_Configuration_Template.mobileconfig from the support GitHub repository (GitHub).

Okta Associated Domains template

The Okta_Associated_Domains_Configuration_Template.mobileconfig file deploys a com.apple.associated-domains payload. It connects Okta Verify and the Okta auth-service extension to your Okta tenant for Platform SSO and Desktop Password Sync.
1

Open Configuration Template

Open the Okta_Associated_Domains_Configuration_Template.mobileconfig file in your text editor.
2

Update auth-service-extension AssociatedDomains

In the first Configuration entry, update AssociatedDomains and replace the example domain with your Okta tenant address.
  • Example: authsrv:accuhive.okta.com 
    <key>ApplicationIdentifier</key>
<string>B7F62B65BN.com.okta.mobile.auth-service-extension</string>
<key>AssociatedDomains</key>
<array>
     <!-- replace accuhive.okta.com with your tenant address -->
     <string>authsrv:accuhive.okta.com</string>
3

Update Okta Verify AssociatedDomains

In the second Configuration entry, update AssociatedDomains for com.okta.mobile and replace the example domain with your Okta tenant address.
  • Example: authsrv:accuhive.okta.com 
    <key>ApplicationIdentifier</key>
<string>B7F62B65BN.com.okta.mobile</string>
<key>AssociatedDomains</key>
<array>
     <!-- replace accuhive.okta.com with your tenant address -->
     <string>authsrv:accuhive.okta.com</string>
4

Save Configuration File

Save the mobileconfig file. You will upload it as a Custom Profile Library Item in Add Library Items in Iru Endpoint.

Okta Verify template

1

Open Okta Verify Template

Open the Okta_Verify_Configuration_Template.mobileconfig file in your text editor.
2

Set OktaVerify.OrgUrl on com.okta.mobile

In the com.okta.mobile payload, set OktaVerify.OrgUrl to your Okta tenant URL.
  • Example: https://accuhive.okta.com 
    <dict>
     <!-- replace accuhive.okta.com with your tenant -->
     <key>OktaVerify.OrgUrl</key>
     <string>https://accuhive.okta.com</string>
3

Set OktaVerify.PasswordSyncClientID on com.okta.mobile

In the com.okta.mobile payload, set OktaVerify.PasswordSyncClientID to the Desktop Password Sync app Client ID you recorded earlier.
<!-- replace YOUR_CLIENT_ID with your Desktop Password Sync app Client ID -->
<key>OktaVerify.PasswordSyncClientID</key>
<string>YOUR_CLIENT_ID</string>
4

Set OktaVerify.OrgUrl on com.okta.mobile.auth-service-extension

In the com.okta.mobile.auth-service-extension payload, set OktaVerify.OrgUrl to your Okta tenant URL.
<dict>
     <!-- replace accuhive.okta.com with your tenant -->
     <key>OktaVerify.OrgUrl</key>
     <string>https://accuhive.okta.com</string>
5

Set OktaVerify.PasswordSyncClientID on com.okta.mobile.auth-service-extension

In the com.okta.mobile.auth-service-extension payload, set OktaVerify.PasswordSyncClientID to the Desktop Password Sync app Client ID you recorded earlier.
<!-- replace YOUR_CLIENT_ID with your Desktop Password Sync app Client ID -->
<key>OktaVerify.PasswordSyncClientID</key>
<string>YOUR_CLIENT_ID</string>
6

Save Okta Verify Configuration File

Save Okta_Verify_Configuration_Template.mobileconfig.

Configure the Okta Platform SSO Single Sign-on Extension Library Item

Use a Single Sign-on Extension Library Item to deploy the Okta Verify redirect extension and Platform SSO settings on enrolled Mac computers.
Finish the Okta Associated Domains and Okta Verify Configuration Custom Profiles before you assign this Library Item.
See the Library Overview article to add Library Items in Iru Endpoint. For field descriptions, see Configure the Single Sign-On Extension Library Item.
1

Name the Library Item

Enter a Name for the new Library Item (for example Okta Platform SSO).
2

Select Platform

Select Mac as the Install on platform.
3

Assign to Blueprints

Assign the Library Item to the same Blueprints as your SCEP Library Item and Custom Profile Library Items for this deployment.
4

Select Extension Type

Under Extension type, select Redirect.
5

Configure Extension Identifier

For Extension identifier, enter:
com.okta.mobile.auth-service-extension
6

Set Team Identifier

For Team identifier, enter:
B7F62B65BN
7

Configure URLs

Add these URLs, replacing accuhive.okta.com with your Okta org hostname (the same hostname you used in the Associated Domains and Okta Verify templates):
https://accuhive.okta.com/device-access/api/v1/nonce

https://accuhive.okta.com/oauth2/v1/token

https://accuhive.okta.com/v1/auth/device-sign
8

Leave Hosts empty

Leave Hosts empty.
9

Enable Platform SSO

Toggle Platform SSO on.
10

Select Authentication Method

Under Authentication method, select Password.Desktop Password Sync requires password authentication at the macOS login window.
11

Enter Registration token (optional)

Enter a Registration token only if Okta or your org requires one for Platform SSO registration.
12

Enable macOS 15 and later settings (optional)

Under Platform SSO, turn on any macOS 15 and later options your org needs for Desktop Password Sync or FileVault. See FileVault Support for macOS 15+ and Okta’s macOS PSSO version history.
13

Set Existing Users permissions

Set default permissions for Existing Users (Standard or administrator, or a group you configure in a later step).
14

Set New Users permissions

Set default permissions for New Users.
15

Enable Shared Device Keys

Select Use shared device keys.This setting is required for Desktop Password Sync.
16

Enable authorization with identity provider

Turn on Allow authorization (with identity provider account) so users can approve system prompts with their Okta credentials.
17

Enable automatic local account creation (optional)

If you want local accounts created automatically at the login window, enable Allow creation of new users at login window.
Local account creation requires the device to be online at the login window with FileVault unlocked, and Iru Endpoint must have a valid bootstrap token for the device.
18

Enable device attestation (optional)

If your org uses device attestation, turn on the option to send the device UDID and serial number in Platform SSO attestations (macOS 15.4 and later).
19

Enter Account display name

Enter an Account display name users will recognize in notifications and sign-in prompts (often your company name). This value is system-wide and visible to every user on the Mac.
20

Set Require Full Login Timeout

Specify Require full login in seconds. The default in Iru Endpoint is 18 hours (64800 seconds). The minimum is 1 hour (3600 seconds).
21

Configure Token Mapping

Under Token mapping, configure AccountName and FullName, plus any other attributes you need for new user creation and authorization. Use attribute names from your Okta tenant for Platform SSO or Desktop Password Sync.If you aren’t sure which values to use, ask your Okta administrator or see Configure login options in Configure the Single Sign-On Extension Library Item.
22

Configure Groups (optional)

Optional: configure Admin groups, Additional groups, and User groups:
  • Admin groups are groups from Okta that should receive administrator access on the device.
  • Additional groups are custom groups to create in the device’s local directory.
  • User groups map macOS system rights (for example sudo or printer management) to local directory groups.
23

Save the Library Item

Click Save.
If you deploy Platform SSO during Setup Assistant on macOS 26 or later, configure the Mac macOS 26 and later section of this Library Item. See Enable Registration During Setup Assistant (macOS 26 and later).

Enable Registration During Setup Assistant (macOS 26 and later)

On macOS 26 and later, Platform SSO can run during Setup Assistant so the Mac registers with Okta earlier in enrollment. Set registration during setup, first-user creation, profile picture sync, and Authenticated Guest Mode in the Mac macOS 26 and later section of your Okta Platform SSO Single Sign-on Extension Library Item.
When you deploy Platform SSO with Automated Device Enrollment, do not set Primary account type to Skip primary account creation in the Mac section of your Automated Device Enrollment Library Item. Setup Assistant is where the user sets the local account password. Skipping that step leaves the password unset and can stall enrollment.On Mac computers with Apple silicon and some other models, credentials are stored in the Secure Enclave. See Apple’s documentation for which devices include a Secure Enclave. Skip primary account creation is for Passport workflows, not Platform SSO.
1

Open the Single Sign-on Extension Library Item

In the Library, open your Okta Platform SSO Single Sign-on Extension Library Item, click Edit, then go to Mac macOS 26 and later in the Platform SSO section.
2

Set Enable registration during Setup Assistant

For Enable registration during Setup Assistant, select Yes to register with Okta during Setup Assistant.
3

Set Create first user during Setup Assistant

For Create first user during Setup Assistant, select Yes when the Mac should create its first local account during Setup Assistant from the Okta identity. Select No if you provision the first account another way.
4

Set Synchronize profile picture

For Synchronize profile picture, select Yes to copy the user’s Okta profile picture to the local macOS account during setup, or No to skip it.
5

Set Enable Authenticated Guest Mode

Turn on Enable Authenticated Guest Mode for shared Macs where users sign in temporarily with Okta. Leave it off for standard single-user Macs.
6

Set New user authentication methods

Under New user authentication methods, select the methods for newly created accounts. Include Password and SmartCard as your org requires.
7

Save the Library Item

Click Save.

Install Platform SSO Library Items during Automated Device Enrollment

When you use registration during Setup Assistant, the SCEP Library Item, both Custom Profile Library Items, the Okta Platform SSO Single Sign-on Extension Library Item, and the Okta Verify Auto App must install before Setup Assistant finishes. Add and assign those Library Items in Add Library Items in Iru Endpoint, then configure Automated Device Enrollment:
1

Open the Automated Device Enrollment Library Item

In the Library, open your Automated Device Enrollment Library Item and go to the Mac section.
2

Turn on Install Library Items during Setup Assistant

Turn on Install Library Items during Setup Assistant for Mac so selected Library Items install during enrollment setup instead of after Setup Assistant completes.
3

Add required Library Items

Select Add Library Items and add each item from this guide:
  • SCEP Library Item
  • Okta Associated Domains (Custom Profile) — Okta_Associated_Domains_Configuration_Template.mobileconfig
  • Okta Verify Configuration (Custom Profile) — Okta_Verify_Configuration_Template.mobileconfig
  • Okta Platform SSO (Single Sign-on Extension Library Item)
  • Okta Verify Auto App
A Library Item in this list installs during Setup Assistant only when it is also on the device’s Blueprint Assignment Map. Add every item you need during setup to that map.
4

Save the Automated Device Enrollment Library Item

Click Save on the Automated Device Enrollment Library Item.
See Install Library Items during Setup Assistant for the install experience, timeouts, and other considerations.

Add Library Items in Iru Endpoint

Add your SCEP Library Item, Custom Profile Library Items, Okta Platform SSO Single Sign-on Extension Library Item, and Okta Verify Auto App to Iru Endpoint. See the Library Overview article if you need the basics.
1

Create the Associated Domains Custom Profile Library Item

Name the Library Item (for example Okta Associated Domains). Assign it to your Blueprints. Upload your edited Okta_Associated_Domains_Configuration_Template.mobileconfig file, then click Save.
2

Confirm the Okta Platform SSO Single Sign-on Extension Library Item

If you haven’t already, complete Configure the Okta Platform SSO Single Sign-on Extension Library Item and assign it to the same Blueprint(s).
3

Create the Okta Verify Custom Profile Library Item

Create a Custom Profile Library Item for Okta_Verify_Configuration_Template.mobileconfig (for example Okta Verify Configuration). Assign it to the same Blueprint(s), upload the file, and click Save.
4

Assign the Okta Verify Auto App

In the Library, go to Auto Apps and open Okta Verify. Assign the Library Item to the same Blueprint(s) as the SCEP Library Item, Custom Profile Library Items, and Okta Platform SSO Single Sign-on Extension Library Item.
5

Deploy to devices

After devices receive the Library Items and Okta Verify Auto App, users are prompted to register and sync their Okta password.

Assignment Maps

Assign the SCEP Library Item, both Custom Profile Library Items, the Okta Platform SSO Single Sign-on Extension Library Item, and the Okta Verify Auto App on the Blueprint Assignment Map. Use conditional logic when you need to scope Library Items to specific device groups. See Configuring Blueprints for Blueprint basics.

Switch to the Okta Verify Auto App

If Okta Verify is already on the Blueprint through another Library Item, switch to the Okta Verify Auto App without redoing Desktop Password Sync setup. Your Custom Profile Library Items, Okta Platform SSO Single Sign-on Extension Library Item, and Okta configuration stay on the device.
Make assignment changes in one Assignment Map edit session. Assign the Okta Verify Auto App before you select Save. Do not leave computers without an assigned Okta Verify app after you save.
1

Edit the Assignment Map

Open the Blueprint Assignment Map, then select Edit assignments.
2

Remove the previous Okta Verify assignment

Remove the existing Okta Verify Library Item from the Assignment Map.
3

Assign the Okta Verify Auto App

Add the Okta Verify Auto App Library Item to the same Assignment Map scope as your SCEP, Custom Profile, and Okta Platform SSO Library Items.
4

Save the Assignment Map

Select Save to apply the Assignment Map changes.
The previous Okta Verify app is removed from devices. The Associated Domains profile, Okta Platform SSO Single Sign-on Extension configuration, and Okta Verify Custom Profile remain. On the next Iru Agent check-in (within about 15 minutes), Iru Endpoint installs the Okta Verify Auto App.If you also use Okta Device Trust, see Configure Okta Verify for Device Trust when you need to update ODT on the Auto App.

User Experience and Next Steps

With Platform SSO enabled, macOS hides the Change button in the Password field under Users & Groups (System Settings). Apple designed this behavior for Platform SSO.
After deployment, send users to User Experience with Okta Desktop Password Sync for registration steps.