Skip to main content
This guide applies to Mac computers

About Managing Passwords with Passport

Passport password management refers to how Passport handles password synchronization between your Identity Provider and local Mac user accounts. This includes automatic password updates, secure storage, and password reset capabilities.
For information about setting up Passport, read through our Configure the Passport Library Item article.

How It Works

Passport can securely store user credentials and automatically synchronize password changes between your Identity Provider (IdP) and the local Mac account. When users change their IdP password, Passport can detect this change and update the local Mac password accordingly, ensuring seamless authentication.

Password Configuration

To give users the most independent experience and reduce password-related support requests, configure the following in the Passport Library Item.
  1. Enable password syncing. In the Passport Library Item, set Store user password to Securely store password in the Access section so Passport can sync IdP and local passwords automatically. For more on how syncing works, see Password Syncing with the identity provider.
  2. Set the password reset URL in the Login Window. In Customize Login Window, configure Include password reset URL so users can reset their IdP password from the login window or the Iru Endpoint menu app without contacting support.
You can enable either setting on its own, but the experience is less seamless. With only password syncing, changes sync automatically but users cannot reset their password via the IdP URL. With only the password reset URL, users can reset their IdP password but their local Mac password will not sync.

Passport & Passcode Conflicts

It is highly recommended to remove the Passcode Library Item from any Blueprint containing Passport. Your IdP should handle password requirements; otherwise users may see the error below. Learn more in Passport Compatibility.
When the Passcode Profile is applying a password requirement that is higher than the requirements defined by the IdP, the following message is displayed to the user at the Passport Login Window:
The password you entered doesn’t yet meet the passcode policy requirements for this Mac; please contact your IT administrator for help.This Mac has a local passcode policy that applies to passwords that have been changed or created since the policy was put in place. This is common when the Mac passcode policy conflicts with the Identity Provider passcode policy. To resolve this issue, remove the Passcode Library Item from any Blueprints that also contain Passport.

Use full email address at login

Always use your full email address in the username field at the Passport Login Window so sign-in uses your IdP rather than local authentication. To learn more about how the login window and user visibility settings work with Passport, see Passport Compatibility.

Password Experience

For the best result, users should change or reset their password in this order:
  1. Change their password with your organization’s IdP.
  2. If a Passport Reset URL is configured, users can reset their IdP password from the Iru Endpoint menu app or the Passport Login Window.
  3. Let Passport sync the local Mac password to match (Passport will prompt the user or update it automatically).

Password Reset at the Iru Endpoint Menu App

Users can reset their IdP password from the Iru Endpoint menu (gear icon > Reset Password). They are sent to the Passport reset URL set in your Passport Library Item.
  • Requirement: The user must be logged in with their full email address for Reset Password to appear.
To walk users through the steps, share the Reset password from the menu bar (while logged in) section from the User Experience with Passport article.

Password Reset at the Passport Login Window

If the password reset URL is configured in the Passport Library Item, Passport shows a reset link after a user enters an incorrect IdP password three times at the Passport (local) login window. To walk users through the steps, share the Reset password at the login screen section from the User Experience with Passport article.

Password Syncing with the identity provider

The Store user password setting in the Passport Library Item, in the Access section, controls how Passport syncs IdP and local Mac passwords. The two options behave as follows.

Securely store password

Passport stores credentials and can automatically sync the local password with the IdP password.
  • Logged out: If a user changes their IdP password and then signs in at the Passport login window, Passport updates the local password to match automatically.
  • Logged in: If a user changes their IdP password while logged in, Passport prompts them within 5 minutes; the user enters only their IdP password and Passport updates the local password.

Do not store password

Passport does not store the local password. The user must provide it whenever Passport syncs.
  • Logged out: If a user changes their IdP password and then signs in at the Passport login window, Passport asks for their local password before updating it to match.
  • Logged in: If a user changes their IdP password while logged in, Passport prompts within 5 minutes; the user must enter both their local password and their IdP password to update.
  • Login with new IdP password but old local password: If the user signs in with their new IdP password and their local password does not match, Passport prompts for the old local password. With Do not store password, the user must enter both passwords.

Password Syncing with Okta

When using Okta with Passport, set Refresh Token in your Passport OIDC application as follows:
  • Refresh Token disabled (recommended): Use this when Store user password is set to Securely store password. If Refresh Token is left enabled, Passport will not prompt users to update their password while they are logged into their Mac.
  • Refresh Token enabled: Use this only when Store user password is set to Do not store password, to avoid users being repeatedly prompted for their credentials while logged in.
For setup and options, see Passport Configuration with Okta. For issues, see Passport Troubleshooting with Okta.

Password Changes in System Settings

If a user changes their password locally in System Settings, it will go out of sync with Passport. Passport will then prompt the user for their new local password to bring the local password back in sync, which sets the local password to match the IdP. Users should change their password with their IdP so that Passport can sync it with their Mac. To prevent users from changing their password in System Settings, use a Restrictions Library Item and enable Disallow passcode modification in the Passcode and Biometric Settings section. With this restriction applied, the option for users to change their password in System Settings will be inactive.

Password Check Frequency

Passport checks the user’s password every 5 minutes and every online login from the login window. These checks ensure that the local account password and the user’s IdP password are the same. If they aren’t, the user is prompted to provide their IdP password.

Troubleshooting

Users do not have the option to reset their password

If users do not see the option to reset their IdP password from the login window or the Iru Endpoint menu app, verify that Passport is set up for independent resets. See Recommended password sync configuration to ensure password syncing is enabled and the password reset URL is configured in the Login Window settings so users can utilize this option. Note that users at the FileVault login window do not have the normal options to reset their password themselves. The Iru Endpoint menu app and the Passport login window reset URL are only available after the Mac has started and the user reaches the Passport login window. At the FileVault login window, the startup disk is not yet unlocked, so those options are not available. For how to reset a password when the user is at the FileVault login window, see Password reset at the FileVault login window below.

Password reset at the FileVault login window

At the FileVault login window (the screen that appears when the Mac is powered on or restarted, before the main login screen), the startup disk is still encrypted and macOS is not yet running. The Iru Endpoint agent and Passport are not available there, so users cannot use the password reset URL or the menu app to reset their IdP password. The user or an administrator must use the FileVault recovery key to unlock the disk and reset the local password. For step-by-step instructions, see the If FileVault 2 is Enabled section in Reset a macOS user password. Once the local password has been reset and the user reaches the Passport login window, they can change their IdP password to match the new local password using the password reset URL (if configured). See Password Reset at the Passport Login Window for how users can access the reset URL.