Feb 7. 2022, The 1Kosmos Team

Integrating BlockID with MacOS

BlockID now supports passwordless MFA for MacOs desktops without requiring any additional hardware. Workforce users can authenticate into their workstation by receiving a push alert sent to the BlockID mobile app. 

Supported MacOS Versions 

  • MacOS Catalina (10.15)
  • MacOS Big Sur (11)

Pre-requisites 

Administrators will require access to

  • BlockID Admin Portal
  • Active Directory NDES (Infrastructure that supports SCEP)
  • MacOS CP Package 

End users will require access to 

  • Workstation (Installed with BlockID CP)
  • BlockID Mobile app (Registered with their AD account)

Installation & Setup

The Credential provider package for macOS is based on virtual smartcard architecture and authenticates AD-managed users based on the user’s certificate received from the admin portal. Automation scripts ensure easy installation and uninstallation across an enterprise.

For AD managed users who are enrolled for workstation login, a SCEP certificate is generated during initial enrollment of their smartphone on the BlockID app. End users are not expected to take any additional steps to enable workstation logins. 

Workstation Login with Push notifications 

Users are presented with the ‘Login with BlockID’ option that enables them to send a push alert to the BlockID app for their registered AD account. Clicking ‘Approve’ automatically allows login to the workstation. 

Unlock Workstation with BlockID 

Use the push notification to unlock the workstation from the BlockID mobile app.

Login to an Offline workstation 

The credential provider can automatically detect that your workstation is offline and prompt for an Offline OTP. Offline OTP codes are available on the BlockID mobile app and rotate every 30 seconds. Entering the Offline code will unlock the workstation. 

Keychain Considerations

Installing the credential provider on MacOS creates a new keychain for the existing user. Please note that the local user’s existing keychain cannot be accessed anymore. With our upcoming releases, we plan to circumvent the need to create a new keychain for the same user.