Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

This guide applies to Mac computers

About Managing Passwords with Passport

Passport password management refers to how Passport handles password synchronization between your Identity Provider and local Mac user accounts. This includes automatic password updates, secure storage, and password reset capabilities. For setup and Library Item configuration, see Configure the Passport Library Item.

How It Works

Passport can securely store user credentials and automatically synchronize password changes between your Identity Provider (IdP) and the local Mac account. When users change their IdP password, Passport can detect this change and update the local Mac password accordingly, ensuring seamless authentication.

Login, Diagnostics, and Network

Sign in with the full email address

At the Passport login window, always enter the user’s full email address in the username field so the session uses your IdP instead of local authentication. For how the login window and visibility settings interact with Passport, see Passport Compatibility.

Use Passport Diagnostics

If a user cannot sign in or password sync seems wrong, open Iru Endpoint Passport Diagnostics with Command-Shift-K-L on the Mac. The panel surfaces useful detail, including error messages returned from your IdP.

Confirm network connectivity

Passport must reach your IdP to validate credentials and sync passwords. When you customize the Passport login window, enable the network manager so users can join Wi-Fi if needed. The control respects AirPort security settings in macOS.

Wi-Fi limits and isolation testing

Passport shows a Wi-Fi icon at the upper-right of the login window; users can click it to join a password-protected network. Passport does not support captive portals, click-through acceptance pages, or enterprise 802.1X networks that require a separate username and password in that flow. To isolate network issues, try a mobile hotspot or wired Ethernet while testing at the Passport login window. For more on Wi-Fi at the login window, see Passport Compatibility.

Ensure Surname (familyName) in Your IdP

Passport requires a familyName value in IdP user attributes. Populate Last name or the equivalent surname field for every account that signs in with Passport, including service accounts you test with.

Password Configuration

To give users the most independent experience and reduce password-related support requests, configure the following in the Passport Library Item.
  1. Enable password syncing. In the Passport Library Item, set Store user password to Securely store password in the Access section so Passport can sync IdP and local passwords automatically. For more on how syncing works, see Password Syncing with the identity provider.
  2. Set the password reset URL in the Login Window. In Customize Login Window, configure Include password reset URL so users can reset their IdP password from the login window or the Iru Endpoint menu app without contacting support.
You can enable either setting on its own, but the experience is less seamless. With only password syncing, changes sync automatically but users cannot reset their password via the IdP URL. With only the password reset URL, users can reset their IdP password but their local Mac password will not sync.

Passport & Passcode Conflicts

It is highly recommended to remove the Passcode Library Item from any Blueprint containing Passport. Your IdP should handle password requirements; otherwise users may see the error below. Learn more in Passport Compatibility.
When the Passcode Profile is applying a password requirement that is higher than the requirements defined by the IdP, the following message is displayed to the user at the Passport Login Window:
Message shown to the userThe password you entered doesn’t yet meet the passcode policy requirements for this Mac; please contact your IT administrator for help.This Mac has a local passcode policy that applies to passwords that have been changed or created since the policy was put in place. This is common when the Mac passcode policy conflicts with the Identity Provider passcode policy. To resolve this issue, remove the Passcode Library Item from any Blueprints that also contain Passport.

Password Experience

For the best result, users should change or reset their password in this order:
  1. Change their password with your organization’s IdP.
  2. If a Passport Reset URL is configured, users can reset their IdP password from the Iru Endpoint menu app or the Passport Login Window.
  3. Let Passport sync the local Mac password to match (Passport will prompt the user or update it automatically).

Password Reset at the Iru Endpoint Menu App

Users can reset their IdP password from the Iru Endpoint menu by clicking the gear icon and choosing the Reset Password… option. They are sent to the Passport reset URL set in your Passport Library Item.
  • Requirement: The Reset Password… option is shown only when the user is logged in with their full email address.
To walk users through the steps, share the Reset password from the menu bar (while logged in) section from the User Experience with Passport article.

Password Reset at the Passport Login Window

If the password reset URL is configured in the Passport Library Item, Passport shows a reset link after a user enters an incorrect IdP password three times at the Passport (local) login window. To walk users through the steps, share the Reset password at the login screen section from the User Experience with Passport article.

Password Syncing with the Identity Provider

The Store user password setting in the Passport Library Item, in the Access section, controls how Passport syncs IdP and local Mac passwords. The two options behave as follows.

Securely Store Password

Passport stores credentials and can automatically sync the local password with the IdP password.
  • Logged out: If a user changes their IdP password and then signs in at the Passport login window, Passport updates the local password to match automatically.
  • Logged in: If a user changes their IdP password while logged in, Passport prompts them within 5 minutes; the user enters only their IdP password and Passport updates the local password.

Do Not Store Password

Passport does not store the local password. The user must provide it whenever Passport syncs.
  • Logged out: If a user changes their IdP password and then signs in at the Passport login window, Passport asks for their local password before updating it to match.
  • Logged in: If a user changes their IdP password while logged in, Passport prompts within 5 minutes; the user must enter both their local password and their IdP password to update.
  • Login with new IdP password but old local password: If the user signs in with their new IdP password and their local password does not match, Passport prompts for the old local password. With Do not store password, the user must enter both passwords.

Password Syncing with Okta

When using Okta with Passport, set Refresh Token in your Passport OIDC application as follows:
  • Refresh Token disabled (recommended): Use this when Store user password is set to Securely store password. If Refresh Token is left enabled, Passport will not prompt users to update their password while they are logged into their Mac.
  • Refresh Token enabled: Use this only when Store user password is set to Do not store password, to avoid users being repeatedly prompted for their credentials while logged in.
For setup and options, see Passport Configuration with Okta. For issues, see Passport Troubleshooting with Okta.

Password Changes in System Settings

If a user changes their password locally in System Settings, it will go out of sync with Passport. Passport will then prompt the user for their new local password to bring the local password back in sync, which sets the local password to match the IdP. Users should change their password with their IdP so that Passport can sync it with their Mac. To prevent users from changing their password in System Settings, use a Restrictions Library Item and enable Disallow passcode modification in the Passcode & authentication group. With this restriction applied, the option for users to change their password in System Settings will be inactive.

Password Check Frequency

Passport checks the user’s password every 5 minutes and every online login from the login window. These checks ensure that the local account password and the user’s IdP password are the same. If they aren’t, the user is prompted to provide their IdP password.

Troubleshooting

What you see:Users do not see a way to reset their IdP password from the Passport login window or the Iru Endpoint menu app.What to do:
What you see:The user needs to reset a password while only the FileVault pre-boot screen is shown (after power on or restart, before the normal login screen).What to do: