Skip to main content

Workstation Login for macOS

Overview

If your organization is using Active Directory to manage its users, you have the option of enabling BlockID Workstation Login.

Once configured, BlockID Workstation Login allows users to log in to their Mac workstation using BlockID passwordless authentication, including when you are offline.

Authentication SchemeSupported CapabilityBlockID
ONLINEUser ID & PasswordTraditional login
ONLINEUser ID & Password + BlockID TOTP
(coming soon)		MFA
ONLINEUser ID & Password + hardware TOTP
(coming soon)		MFA
ONLINEUser ID + BlockID TOTP
(coming soon)		Passwordless & MFA
ONLINEUser ID + hardware TOTP
(coming soon)		Passwordless & MFA
ONLINEQR Code or Push NotificationPasswordless
ONLINEFIDO Login + Device Biometrics + DID LinkedIdentity-based Authentication
OFFLINEUser ID & Password + Workstation OTPMFA for Offline use
OFFLINEUser ID + Workstation OTPPasswordless MFA for Offline use

Prerequisites

There are a few prerequisites that need to be met before Workstation Login can be enabled:

caution

BlockID Authorization Plugin for macOS does not support FileVault

caution

BlockID Authorization Plugin for macOS does not support Touch ID

tip

Our FIDO2 authentication architecture does not require NDES configuration to use passwordless authentication on macOS

The authorization plugin package for macOS is based on virtual smartcard architecture and authenticates AD-managed users based on the user's certificate received from the admin portal. Automation scripts ensure easy installation and uninstallation across an enterprise.

For AD-managed users who are enrolled for workstation login, a SCEP certificate is generated during the initial enrollment of their smartphone on the BlockID app. End users are not expected to take any additional steps to enable workstation logins.

caution

Installing the authorization plugin on macOS creates a new keychain for the existing user. Please note that the local user's existing keychain cannot be accessed anymore.

Logging In Using BlockID

Online Login

From your macOS login screen, select the user account that is configured for workstation login. Beneath the box where you would normally enter your password, you will see a button that reads Login with BlockID. You will want to ensure that your mobile device that has the BlockID Mobile App installed is nearby.

When you are ready, click Login with BlockID.

You will receive a push notification on your mobile device.

Confirm the authentication request to log in to your workstation.

You can also use push notifications to unlock your workstation using the BlockID Mobile Application.

From a locked screen, the option to BlockID Unlock will be available beneath the password entry box.

Click the button and authenticate using the BlockID Mobile Application. After authenticating the push notification, your screen will be unlocked.

note

If you encounter any issues during installation, please consult the generated log file located at /var/tmp/blockid_log/blockid

Offline Login

The BlockID authorization plugin installed on the Mac workstation can automatically detect if your workstation is offline and prompt for an Offline OTP. Offline OTP codes are available on the BlockID Mobile Application and rotate every 30 seconds. Entering the Offline code will unlock the workstation.

When you are offline, select your user account. Instead of a password entry box, you will see one labeled OTP.

On your phone, open the BlockID Mobile App and click the three-bar hamburger menu to access the Menu.

From the menu, select Offline Login.

You will see a changing QR code with a six-digit Offline OTP beneath. Enter this six-digit code into the OTP box on your Mac workstation.

Click the arrow to authenticate the Offline OTP and log in to your workstation.

note

If you encounter any issues during installation, please consult the generated log file located at /var/tmp/blockid_log/blockid