Skip to main content

Mac Workstation MFA

Overview

BlockID Workstation Login for macOS is an Authorization Plugin that supports passwordless and MFA logins on Mac for local and Active Directory users (for domain-joined machines).

If your organization is using Active Directory to manage its users, you have the option of enabling BlockID Workstation Login. Once configured, BlockID Workstation Login allows users to log in to their Mac workstation using BlockID passwordless authentication, including when you are offline.

Authentication SchemeSupported CapabilityBlockID
ONLINEUser ID & PasswordTraditional login
ONLINEUser ID & Password + BlockID TOTP
(coming soon)
MFA
ONLINEUser ID & Password + hardware TOTP
(coming soon)
MFA
ONLINEUser ID + BlockID TOTP
(coming soon)
Passwordless & MFA
ONLINEUser ID + hardware TOTP
(coming soon)
Passwordless & MFA
ONLINEQR Code or Push NotificationPasswordless
ONLINEFIDO Login + Device Biometrics + DID LinkedIdentity-based Authentication
OFFLINEUser ID & Password + Workstation OTPMFA for Offline use
OFFLINEUser ID + Workstation OTPPasswordless MFA for Offline use

Prerequisites

There are a few prerequisites that need to be met before Workstation Login can be enabled:

caution

BlockID Authorization Plugin for macOS does not support FileVault

caution

BlockID Authorization Plugin for macOS does not support Touch ID

tip

Our FIDO2 authentication architecture does not require NDES configuration to use passwordless authentication on macOS

The authorization plugin package for macOS is based on virtual smartcard architecture and authenticates AD-managed users based on the user's certificate received from the admin portal. Automation scripts ensure easy installation and uninstallation across an enterprise.

For AD-managed users who are enrolled for workstation login, a SCEP certificate is generated during the initial enrollment of their smartphone on the BlockID app. End users are not expected to take any additional steps to enable workstation logins.

caution

Installing the authorization plugin on macOS creates a new keychain for the existing user. Please note that the local user's existing keychain cannot be accessed anymore.

  • The username of the persona enrolled on the BlockID mobile app must match the user id of your machine's local user in case of local user logon
  • Remote login must be enabled on your macOS workstation. This allows logging into the workstation from another machine via the terminal in case the user gets locked out.
tip

We recommend taking a Time Machine backup on the Mac workstation before installing the BlockID for macOS

Considerations for Workstation Login for macOS

  • Currently we do not support offline OTP and MFA (username + password + OTP) login methods.

Enable Remote Login

To enable remote login, please do the following:

  • Navigate to System Preferences -> Sharing -> Remote Login -> Allow access for: All users
  • Users should also note down the displayed ssh credentials, as shown below

Manual Installation and Configuration

Install BlockID Workstation Login for macOS

To install BlockID Workstation for macOS, follow these steps:

tip

Workstation Login for macOS supports both Active Directory and Local User login.

caution

For Active Directory users, the macOS workstation must be domain joined.

  1. Copy BlockID_<version>.pkg to your workstation and double-click the file to start the installation. There are separate pkg installers for Apple silicon and Intel chipsets.
  2. Follow the steps on the GUI installer.
  1. Select a disk to install and click Continue.
  2. Click Install.

The installation process is in progress.

  1. Click Close to exit the installer.
note

If you encounter any issues during installation, please consult the generated log file located at /var/tmp/BlockIDInstall.log

Configure BlockID Workstation Login for macOS

BlockID for macOS can be configured using the plist located at /Library/Security/SecurityAgentPlugins/BlockIDPlugin.bundle/Contents/Resources/BlockID_Configuration.plist.

In this example, we will be editing the configuration file using the terminal, though this is not a requirement. The plist file contains key-value data that can be easily edited using any text editor with Administrator privileges.

  • Launch a terminal window and run the following command:
sudo vi /Library/Security/SecurityAgentPlugins/BlockIDPlugin.bundle/Contents/Resources/BlockID_Configuration.plist
  • Enter the sudo user password

  • Update the configuration details (example shown below).

  • Save your changes and exit (Esc + :wq + Enter)

Sample plist Configuration File

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CONNECTION_PROTOCOL</key>
<string>https://</string>
<key>CONNECTION_PORT</key>
<string>443</string>
<key>TENANT_ID</key>
<string>test.1kosmos.net</string>
<key>TENANT_TAG</key>
<string>test</string>
<key>COMMUNITY</key>
<string>default</string>
<key>AUTHZ_TYPE</key>
<string>fingerprint</string>
<key>REQUEST_TIMEOUT</key>
<string>45</string>
<key>CONN_TIMEOUT</key>
<string>5</string>
<key>ERROR_MSG</key>
<string>Error while receiving response</string>
<key>PROXY_URL</key>
<string></string>
<key>PROXY_USER</key>
<string></string>
<key>PROXY_PWD</key>
<string></string>
<key>PUBLIC_KEY</key>
<string>**********************</string>
<key>PRIVATE_KEY</key>
<string>**********************</string>
<key>URL_SERV_KEY</key>
<string>/api/r1/community/{communityID}/publickeys</string>
<key>URL_RESPONSE</key>
<string>/api/r1/community/{communityID}/session/{sessionID}/response</string>
<key>URL_HASH</key>
<string>/api/v3/rest/{communityID}/ipfs</string>
<key>URL_PUSH</key>
<string>/api/v3/rest/{communityID}/pushnotification</string>
<key>URL_HEALTH</key>
<string>/healthz</string>
</dict>
</plist>

Configuration Description Table

Name of ConfigurationDescriptionExpected ValuesSample Values
CONNECTION_PROTOCOLTo define whether the connection should be secured or unsecured.https://, http://https://
CONNECTION_PORTValue of the port on the tenant URL to which the connection would be established.Default values are 80 for http & 443 for https443
TENANT_IDContains the Tenant URL to connect to the admin console.<tenant url>test.1kosmos.net
TENANT_TAGContains the Tenant Tag.<tenant tag>test
COMMUNITYContains the community name.<community name>default
AUTHZ_TYPEContains the authentication mode for the mobile device.Values can be fingerprint, face, or pinfingerprint
REQUEST_TIMEOUTThe duration for which the authorization plugin will wait for a response from the admin console. The value is in seconds.Value should ideally be kept in the range of 10 to 240.45
CONN_TIMEOUTThe timeout value for the connection to be successfully established. The value in seconds.Value should ideally be kept in the range of 2 to 10.5
ERROR_MSGDefault error message to be displayed on the lock screen.<error message>Error while receiving response
PROXY_URLCurrently not supportedNANA
PROXY_USERCurrently not supportedNANA
PROXY_PWDCurrently not supportedNANA
PUBLIC_KEYPublic Key of the mac CP Value is auto-generated during installation (NOT TO BE EDITED BY END USER)NANA
PRIVATE_KEYPrivate Key of the mac CP Value is auto-generated during installation NOT TO BE EDITED BY END USERNANA
URL_SERV_KEYEndpoint to request the server public key (NOT TO BE EDITED BY END USER)NANA
URL_RESPONSEEndpoint to request user data (NOT TO BE EDITED BY END USER)NANA
URL_HASHEndpoint to request user data (NOT TO BE EDITED BY END USER)NANA
URL_PUSHEndpoint to send push notification to the user (NOT TO BE EDITED BY THE END USER)NANA
URL_HEALTHEndpoint to check the connection to the console (NOT TO BE EDITED BY THE END USER)NANA

Automated Installation and Configuration via Bash Script

BlockID for macOS can be installed headless using a bash script and a configuration file containing tenant details from the terminal. The automated installation & configuration script only be run by a user with sudo privileges.

The command line flags -i <package name> should be used for installation and -c <config file> for updating the configuration.

Sample CONFIG File

CONFIG
AUTHZ_TYPE=fingerprint
COMMUNITY=default
CONNECTION_PORT=443
CONNECTION_PROTOCOL=https://
CONN_TIMEOUT=10
ERROR_MSG=Error while receiving a response
PRIVATE_KEY=generate
PROXY_PWD=
PROXY_URL=
PROXY_USER=
PUBLIC_KEY=generate
REQUEST_TIMEOUT=45
TENANT_ID=demo.1kosmos.net
TENANT_TAG=1kosmos
tip

The value for PUBLIC_KEY or PRIVATE_KEY should be generate to create new ECDSA key-pair and to update them in the system configuration plist file

Installation and Configuration

BlockIDConfiguration.sh -i <package name> -c <config filename>

Example:
./BlockIDConfiguration.sh -i BlockID_1.05.00.61B74507.pkg -c CONFIG

For Installation

BlockIDConfiguration.sh -i <package name>

Example:
./BlockIDConfiguration.sh -i BlockID_1.05.00.61B74507.pkg

For Configuration

BlockIDConfiguration.sh -c <config filename>

Example:
./BlockIDConfiguration.sh -c CONFIG
note

The workstation must be manually restarted after running the installation script

Supported MFA Mechanisms

Workstation login using Mac supports the following MFA mechanisms:

Online Login

From your macOS login screen, select the user account that is configured for workstation login. Beneath the box where you would normally enter your password, you will see a button that reads Login with BlockID. You will want to ensure that your mobile device that has the BlockID Mobile App installed is nearby.

When you are ready, click Login with BlockID.

You will receive a push notification on your mobile device.

Confirm the authentication request to log in to your workstation.

You can also use push notifications to unlock your workstation using the BlockID Mobile Application.

From a locked screen, the option to BlockID Unlock will be available beneath the password entry box.

Click the button and authenticate using the BlockID Mobile Application. After authenticating the push notification, your screen will be unlocked.

note

If you encounter any issues during installation, please consult the generated log file located at /var/tmp/blockid_log/blockid

Offline Login

The BlockID authorization plugin installed on the Mac workstation can automatically detect if your workstation is offline and prompt for an Offline OTP. Offline OTP codes are available on the BlockID Mobile Application and rotate every 30 seconds. Entering the Offline code will unlock the workstation.

When you are offline, select your user account. Instead of a password entry box, you will see one labeled OTP.

On your phone, open the BlockID Mobile App and click the three-bar hamburger menu to access the Menu.

From the menu, select Offline Login.

You will see a changing QR code with a six-digit Offline OTP beneath. Enter this six-digit code into the OTP box on your Mac workstation.

Click the arrow to authenticate the Offline OTP and log in to your workstation.

note

If you encounter any issues during installation, please consult the generated log file located at /var/tmp/blockid_log/blockid

Uninstallation Steps

You can uninstall BlockID for macOS by running the bash script with sudo privileges.

  1. Launch a terminal window and execute the following command.

    sudo bash BlockIDUninstall.sh
  2. Restart the workstation manually.

    sudo reboot