Mac Workstation MFA
Overview
BlockID Workstation Login for macOS is an Authorization Plugin that supports passwordless and MFA logins on Mac for local and Active Directory users (for domain-joined machines).
If your organization is using Active Directory to manage its users, you have the option of enabling BlockID Workstation Login. Once configured, BlockID Workstation Login allows users to log in to their Mac workstation using BlockID passwordless authentication, including when you are offline.
Authentication Scheme | Supported Capability | BlockID | |
---|---|---|---|
ONLINE | User ID & Password | Traditional login | ✅ |
ONLINE | User ID & Password + BlockID TOTP (coming soon) | MFA | ✅ |
ONLINE | User ID & Password + hardware TOTP (coming soon) | MFA | ✅ |
ONLINE | User ID + BlockID TOTP (coming soon) | Passwordless & MFA | ✅ |
ONLINE | User ID + hardware TOTP (coming soon) | Passwordless & MFA | ✅ |
ONLINE | QR Code or Push Notification | Passwordless | ✅ |
ONLINE | FIDO Login + Device Biometrics + DID Linked | Identity-based Authentication | ✅ |
OFFLINE | User ID & Password + Workstation OTP | MFA for Offline use | ✅ |
OFFLINE | User ID + Workstation OTP | Passwordless MFA for Offline use | ✅ |
Prerequisites
There are a few prerequisites that need to be met before Workstation Login can be enabled:
- Active Directory
- NDES Configuration for BlockID
- BlockID Authorization Plugin for macOS
- SCEP configuration enabled and setup for AD Broker in AdminX
- BlockID Mobile Application installed and linked to your account
BlockID Authorization Plugin for macOS does not support FileVault
BlockID Authorization Plugin for macOS does not support Touch ID
Our FIDO2 authentication architecture does not require NDES configuration to use passwordless authentication on macOS
The authorization plugin package for macOS is based on virtual smartcard architecture and authenticates AD-managed users based on the user's certificate received from the admin portal. Automation scripts ensure easy installation and uninstallation across an enterprise.
For AD-managed users who are enrolled for workstation login, a SCEP certificate is generated during the initial enrollment of their smartphone on the BlockID app. End users are not expected to take any additional steps to enable workstation logins.
Installing the authorization plugin on macOS creates a new keychain for the existing user. Please note that the local user's existing keychain cannot be accessed anymore.
- The username of the persona enrolled on the BlockID mobile app must match the user id of your machine's local user in case of local user logon
- Remote login must be enabled on your macOS workstation. This allows logging into the workstation from another machine via the terminal in case the user gets locked out.
We recommend taking a Time Machine backup on the Mac workstation before installing the BlockID for macOS
Considerations for Workstation Login for macOS
- Currently we do not support offline OTP and MFA (username + password + OTP) login methods.
Enable Remote Login
To enable remote login, please do the following:
- Navigate to System Preferences -> Sharing -> Remote Login -> Allow access for: All users
- Users should also note down the displayed ssh credentials, as shown below
Manual Installation and Configuration
Install BlockID Workstation Login for macOS
To install BlockID Workstation for macOS, follow these steps:
Workstation Login for macOS supports both Active Directory and Local User login.
For Active Directory users, the macOS workstation must be domain joined.
- Copy
BlockID_<version>.pkg
to your workstation and double-click the file to start the installation. There are separate pkg installers for Apple silicon and Intel chipsets. - Follow the steps on the GUI installer.
- Select a disk to install and click Continue.
- Click Install.
The installation process is in progress.
- Click Close to exit the installer.
If you encounter any issues during installation, please consult the generated log file located at /var/tmp/BlockIDInstall.log
Configure BlockID Workstation Login for macOS
BlockID for macOS can be configured using the plist located at /Library/Security/SecurityAgentPlugins/BlockIDPlugin.bundle/Contents/Resources/BlockID_Configuration.plist
.
In this example, we will be editing the configuration file using the terminal, though this is not a requirement. The plist file contains key-value data that can be easily edited using any text editor with Administrator privileges.
- Launch a terminal window and run the following command:
sudo vi /Library/Security/SecurityAgentPlugins/BlockIDPlugin.bundle/Contents/Resources/BlockID_Configuration.plist
-
Enter the sudo user password
-
Update the configuration details (example shown below).
-
Save your changes and exit (
Esc + :wq + Enter
)
Sample plist Configuration File
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CONNECTION_PROTOCOL</key>
<string>https://</string>
<key>CONNECTION_PORT</key>
<string>443</string>
<key>TENANT_ID</key>
<string>test.1kosmos.net</string>
<key>TENANT_TAG</key>
<string>test</string>
<key>COMMUNITY</key>
<string>default</string>
<key>AUTHZ_TYPE</key>
<string>fingerprint</string>
<key>REQUEST_TIMEOUT</key>
<string>45</string>
<key>CONN_TIMEOUT</key>
<string>5</string>
<key>ERROR_MSG</key>
<string>Error while receiving response</string>
<key>PROXY_URL</key>
<string></string>
<key>PROXY_USER</key>
<string></string>
<key>PROXY_PWD</key>
<string></string>
<key>PUBLIC_KEY</key>
<string>**********************</string>
<key>PRIVATE_KEY</key>
<string>**********************</string>
<key>URL_SERV_KEY</key>
<string>/api/r1/community/{communityID}/publickeys</string>
<key>URL_RESPONSE</key>
<string>/api/r1/community/{communityID}/session/{sessionID}/response</string>
<key>URL_HASH</key>
<string>/api/v3/rest/{communityID}/ipfs</string>
<key>URL_PUSH</key>
<string>/api/v3/rest/{communityID}/pushnotification</string>
<key>URL_HEALTH</key>
<string>/healthz</string>
</dict>
</plist>
Configuration Description Table
Name of Configuration | Description | Expected Values | Sample Values |
---|---|---|---|
CONNECTION_PROTOCOL | To define whether the connection should be secured or unsecured. | https://, http:// | https:// |
CONNECTION_PORT | Value of the port on the tenant URL to which the connection would be established. | Default values are 80 for http & 443 for https | 443 |
TENANT_ID | Contains the Tenant URL to connect to the admin console. | <tenant url> | test.1kosmos.net |
TENANT_TAG | Contains the Tenant Tag. | <tenant tag> | test |
COMMUNITY | Contains the community name. | <community name> | default |
AUTHZ_TYPE | Contains the authentication mode for the mobile device. | Values can be fingerprint, face, or pin | fingerprint |
REQUEST_TIMEOUT | The duration for which the authorization plugin will wait for a response from the admin console. The value is in seconds. | Value should ideally be kept in the range of 10 to 240. | 45 |
CONN_TIMEOUT | The timeout value for the connection to be successfully established. The value in seconds. | Value should ideally be kept in the range of 2 to 10. | 5 |
ERROR_MSG | Default error message to be displayed on the lock screen. | <error message> | Error while receiving response |
PROXY_URL | Currently not supported | NA | NA |
PROXY_USER | Currently not supported | NA | NA |
PROXY_PWD | Currently not supported | NA | NA |
PUBLIC_KEY | Public Key of the mac CP Value is auto-generated during installation (NOT TO BE EDITED BY END USER) | NA | NA |
PRIVATE_KEY | Private Key of the mac CP Value is auto-generated during installation NOT TO BE EDITED BY END USER | NA | NA |
URL_SERV_KEY | Endpoint to request the server public key (NOT TO BE EDITED BY END USER) | NA | NA |
URL_RESPONSE | Endpoint to request user data (NOT TO BE EDITED BY END USER) | NA | NA |
URL_HASH | Endpoint to request user data (NOT TO BE EDITED BY END USER) | NA | NA |
URL_PUSH | Endpoint to send push notification to the user (NOT TO BE EDITED BY THE END USER) | NA | NA |
URL_HEALTH | Endpoint to check the connection to the console (NOT TO BE EDITED BY THE END USER) | NA | NA |
Automated Installation and Configuration via Bash Script
BlockID for macOS can be installed headless using a bash script and a configuration file containing tenant details from the terminal. The automated installation & configuration script only be run by a user with sudo privileges.
The command line flags -i <package name>
should be used for installation and -c <config file>
for updating the configuration.
Sample CONFIG File
AUTHZ_TYPE=fingerprint
COMMUNITY=default
CONNECTION_PORT=443
CONNECTION_PROTOCOL=https://
CONN_TIMEOUT=10
ERROR_MSG=Error while receiving a response
PRIVATE_KEY=generate
PROXY_PWD=
PROXY_URL=
PROXY_USER=
PUBLIC_KEY=generate
REQUEST_TIMEOUT=45
TENANT_ID=demo.1kosmos.net
TENANT_TAG=1kosmos
The value for PUBLIC_KEY
or PRIVATE_KEY
should be generate
to create new ECDSA key-pair and to update them in the system configuration plist file
Installation and Configuration
BlockIDConfiguration.sh -i <package name> -c <config filename>
Example:
./BlockIDConfiguration.sh -i BlockID_1.05.00.61B74507.pkg -c CONFIG
For Installation
BlockIDConfiguration.sh -i <package name>
Example:
./BlockIDConfiguration.sh -i BlockID_1.05.00.61B74507.pkg
For Configuration
BlockIDConfiguration.sh -c <config filename>
Example:
./BlockIDConfiguration.sh -c CONFIG
The workstation must be manually restarted after running the installation script
Supported MFA Mechanisms
Workstation login using Mac supports the following MFA mechanisms:
Online Login
From your macOS login screen, select the user account that is configured for workstation login. Beneath the box where you would normally enter your password, you will see a button that reads Login with BlockID. You will want to ensure that your mobile device that has the BlockID Mobile App installed is nearby.
When you are ready, click Login with BlockID.
You will receive a push notification on your mobile device.
Confirm the authentication request to log in to your workstation.
You can also use push notifications to unlock your workstation using the BlockID Mobile Application.
From a locked screen, the option to BlockID Unlock will be available beneath the password entry box.
Click the button and authenticate using the BlockID Mobile Application. After authenticating the push notification, your screen will be unlocked.
If you encounter any issues during installation, please consult the generated log file located at /var/tmp/blockid_log/blockid
Offline Login
The BlockID authorization plugin installed on the Mac workstation can automatically detect if your workstation is offline and prompt for an Offline OTP. Offline OTP codes are available on the BlockID Mobile Application and rotate every 30 seconds. Entering the Offline code will unlock the workstation.
When you are offline, select your user account. Instead of a password entry box, you will see one labeled OTP.
On your phone, open the BlockID Mobile App and click the three-bar hamburger menu to access the Menu.
From the menu, select Offline Login.
You will see a changing QR code with a six-digit Offline OTP beneath. Enter this six-digit code into the OTP box on your Mac workstation.
Click the arrow to authenticate the Offline OTP and log in to your workstation.
If you encounter any issues during installation, please consult the generated log file located at /var/tmp/blockid_log/blockid
Uninstallation Steps
You can uninstall BlockID for macOS by running the bash script with sudo privileges.
-
Launch a terminal window and execute the following command.
sudo bash BlockIDUninstall.sh
-
Restart the workstation manually.
sudo reboot