Duo integrates with macOS to add two-factor authentication to macOS console logons.
Major macOS version upgrades (such as from 10.11 El Capitan to 10.12 Sierra or 10.11 El Capitan to 10.13 High Sierra) may remove Duo's Mac Logon package. You can restore Duo after updating your operating system with the
restore_after_upgrade.py script included in the Duo for macOS zip file (1.0.2 and later).
If you're updating directly from 10.12 Sierra to 10.13 High Sierra, there's no need to perform the restore step. Duo login continues working after the 10.13 upgrade.
Duo's macOS authorization plugin doesn't support inline self-service enrollment. Your users must be enrolled in Duo before logging in, and their Duo usernames must match the macOS username.
We recommend using bulk enrollment or directory sync to send your users unique self-enrollment links via email. Read the enrollment documentation to learn more.
Once installed, Duo authentication is required for new console logons, but not when unlocking the screensaver or when an already logged-on user wakes the system from sleep.
For additional client security, we recommend setting a firmware password to prevent disabling Duo authentication via recovery mode.
Duo for MacOS doesn't require 2FA for remote SSH connections. Looking for SSH login protection? Try Duo Unix.
This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.
Duo's Mac authorization plugin supports OS X 10.10 (Yosemite) and later macOS versions.
Log in to the Duo Admin Panel and navigate to Applications.
Click Protect an Application and locate macOS in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.)
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
We recommend setting the New User Policy for your macOS application to Deny Access, as no unenrolled user may complete Duo enrollment via this application.
Download and uncompress the Duo macOS plugin installer package and scripts zip archive. This zip file contains the the configuration script for the Duo installer package (configure_maclogon.sh) and the Duo plugin installer and uninstaller .pkg package files.
Ensure your Mac system's time is correct. You can set your Mac to obtain the correct time automatically. Open "System Preferences" and then click "Date & Time". On the "Date & Time" tab, check the box next to "Set date and time automatically" and pick a time server for your region from the drop-down list. Click save when done.
dscl . ls /Users | grep -v _
If the user logging in to macOS after the Duo plugin is installed does not exist in Duo, the user may not be able to log in.
If you're not ready to enforce Duo authentication for all users of this system yet, configure the New User Policy for your macOS application to "Allow Access". This only prompts users enrolled in Duo for 2FA approval, and lets user not yet enrolled in Duo log on to the system without seeing the Duo prompt.
Change to the extracted MacLogon directory and run the configuration script:
If the configuration script is in a different directory than the Duo MacLogon .pkg file, specify the full path to MacLogon-NotConfigured-1.0.4.pkg when running the script.
Supply the following information when prompted by the script:
Provide the integration key from the macOS application page in the Duo Admin Panel.
Provide the secret key from the macOS application page in the Duo Admin Panel.
|Enter API hostname||
Provide the API hostname from the macOS application page in the Duo Admin Panel.
|Should fail open||
|Should bypass 2FA when using smartcard||
|Should auto push if possible||
The configuration script creates a new deployment package with the values you specify. For example, this command configures the Duo for macOS installation package located in the same directory as the configuration script, with fail open enabled, smart card login disabled, and automatic push enabled, and then creates the deploy package MacLogon-1.0.4.pkg:
./configure_maclogon.sh /path/to/MacLogon-NotConfigured-1.0.4.pkg Duo Security Mac Logon configuration tool v1.0.4. See https://duo.com/docs/macos for documentation Enter ikey: DIXXXXXXXXXXXXXXXXX Enter skey: gdk2261xxc9c73fdxx9w73ffsi23xxbak282gebxxs Enter API Hostname: api-xxxxxxxx.duosecurity.com Should fail open (true or false): true Should bypass 2FA when using smartcard (true or false): false Should auto push if possible (true or false): true Modifying ./MacLogon-NotConfigured-1.0.4.pkg... Updating config.plist ikey, skey, host, fail_open, smartcard_bypass, and auto_push config... Finalizing package, saving as ./MacLogon-1.0.4.pkg Cleaning up temp files... Done! The package ./MacLogon-1.0.4.pkg has been configured for your use.
Double-click the newly-created Duo MacLogon deploy .pkg file to start installation. Follow the prompts to select the destination disk and enter the sudo password when prompted by the installer.
You'll need to run the script again if you want to change any of the configuration values, then reinstall the package and restart your Mac for the change to take effect.
If you want to verify the Duo MacLogon application settings you can view the
/private/var/root/Library/Preferences/com.duosecurity.maclogon.plist file. This file is read-only for administrators only.
$ sudo cat /private/var/root/Library/Preferences/com.duosecurity.maclogon.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>apiurl</key> <string>api-xxxxxxxx.duosecurity.com</string> <key>fail_open</key> <true/> <key>ikey</key> <string>DIXXXXXXXXXXXXXXXXX</string> <key>skey</key> <string>gdk2261fhc9c73fdjc9w73ffsi23gdbak282gebsks</string> <key>smartcard_bypass</key> <true/> </dict> </plist>
To test your setup, attempt to log in to your newly-configured system as a user enrolled in Duo. The Duo Prompt appears after you successfully submit your macOS credentials.
Select any available factor to verify your identity to Duo:
If you'd like to remove Duo authentication for macOS from your system, double-click the MacLogon-Uninstaller-1.0.4.pkg package included in the Duo MacLogin zip file and follow the installer prompts.
If upgrading macOS to a new major version removed Duo logon protection from your system, restore it with the
restore_after_upgrade.py script included in the Duo MacLogon zip file.
In a Terminal window, change to the extracted MacLogon directory and run the restore script:
sudo python restore_after_upgrade.py