Integrating Trusona with macOS

This guide details the steps required to install and configure Trusona for macOS.

1. Install and configure the Trusona Mac Setup app

(1) Download the Trusona Mac Setup app to install the application, drag it to your Applications folder.

(2) Launch the Trusona Mac Setup app. If this is the first time you are launching the app, you will be prompted to enter an administrator password so the app can install a Privilege Helper tool. This tool allows the setup app to store your credentials safely and modify the authentication process used to login to your computer.

A Get Started window will appear.

server pool selection

(3) Open the Preferences window (Trusona Mac Setup > Preferences). If your Trusona SDK credentials are already filled in, you can skip ahead to section 2 Getting Started.

server pool selection

(4) If the SDK credentials are not already filled in as above, you will need to obtain them from the Trusona Dashboard. Navigate and Log in to the Trusona Dashboard - https://dashboard.trusona.com.

server pool selection

(5) On the dashboard home page, click on “SDK Credentials” on the left navigation pane and then click “Create Server Credentials”.

server pool selection
server pool selection

(6) Copy and paste these credentials into the corresponding fields of the Trusona Mac Setup preferences window. Once you navigate away from this page, these SDK credentials will not be shown again. You can copy them to a safe place (recommended), or create new ones if needed.

(7) Under the “Integration” subheading on the left, click on “macOS”. Press “Create macOS integration” and give your integration a name.

server pool selection
server pool selection

(8) Copy and paste the Integration ID to the corresponding field in the Trusona Mac Setup preferences window.

(9) Click OK in the Preferences window to save your credentials and close the window.

server pool selection

2. Getting Started

In this section you will associate your smartphone with your Mac and do a test login.

(1) Click in the Get Started window if it is visible or navigate to Trusona Mac Setup > Help > Get Started

server pool selection

(2) Follow the on-screen instructions to step through setting up the mobile app and pairing your smartphone with your computer. You may have already setup the Trusona mobile app and account previously.

(3) After you have “paired” your phone with your computer, complete the practice login. This ensures you will be able to log in once you enable Trusona authentication.

(4) The last step of the Get Started walk-through is to enable Trusona authentication.

(5) To test that you can authenticate, navigate to System Preferences > Security & Privacy and then click on the lock (lower left) to authorize making changes. You should be prompted for your password followed by a request to approve in the Trusona Mobile App.

(6) If you are only installing Trusona on this one computer, you are done. You can quit Trusona Mac Setup.

If you update to a newer version of the software, the Privilege Helper may need to be updated to match the corresponding version of Trusona Mac Setup.

3. Mass Deployment of Trusona macOS App using Jamf Pro

Prerequisites:

  • Trusona SDK Credentials as described above (section 1.1).
  • Jamf Pro
  • Composer app
  • Trusona Mac Setup app
  • Mac test machine

3.1. Create a “credential.json” file

To setup Trusona authentication for additional users, you will need to create a small file containing SDK credentials that can be placed on each computer. The file must be named credential.json and will be placed at: /Library/Application Support/Trusona/. The format of the file which you can edit with your SDK credentials is shown below:

{
  "mac_key" : "SECRET_FROM_DASHBOARD",
  "api_host" : "https:\/\/api.trusona.net",
  "access_token" : "TOKEN_FROM_DASHBOARD",
  "integration_id" : "INTEGRATION_ID_FROM_DASHBOARD"
}

3.2. Create the package

a. Start with a clean install of macOS on your Apple test computer

b. Install Composer on test machine (the Composer app is included with your Jamf Pro license, please see user guide for details: https://www.jamf.com/resources/product-documentation/composer-user-guide/)

c. Create a new “New and Modified Snapshot” in Composer:

server pool selection

d. Wait until “Before Snapshot” is complete:

server pool selection
server pool selection

e. Place the Trusona Mac Setup app in the root Applications folder (ensure this is the root application folder and NOT the user application folder or else the app will only be available to the currently logged in user).

f. Place the credential.json file you created above at: /Library/Application Support/Trusona/

g. Finish the snapshot process and select the “Create as DMG” option.

h. Set Owner to root and Group to wheel:

server pool selection

3.3. Deploy via Jamf Pro

i. Upload the package created in step one to the Jamf Pro repository under All Settings/Computer Management:

server pool selection

j. Create a new Computer policy

k. Configure the Packages blade and select the newly created package

l. Define your scope

m. Set the Trigger to “Recurring Check-In”

n. Set the Execution Frequency to “Once per computer”

o. Save the policy

server pool selection

4. FileVault Considerations

Many enterprise deployments use FileVault which alters the login sequence. This section explains how you can use Multi-Factor authentication with FileVault.

When you Restart or power on your Macintosh, it boots from a hidden partition called Recovery which orchestrates starting macOS. Apple cleverly makes the Recovery password screen look very similar to the macOS login window so many users are not aware macOS hasn’t started yet.

4.1. Restart with FileVault ON

Upon restart, the Recovery partition will prompt for your FileVault password to unlock the Startup partition containing macOS. The FileVault password you enter is saved as a temporary login hint for the next phase.

After macOS starts up it attempts to login using the FileVault password that was saved as a temporary login hint. If the login succeeds, you will be logged in automatically so you don’t need to enter your password a second time.

In this case the Trusona authorization plugin is not invoked. There are two ways to get around FileVault bypassing Trusona authentication after restart:

(1) Disable full disk encryption autologin. From terminal you can use the following: sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES To restore autologin you can use: sudo defaults delete /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin

(2) Change the user password so it’s no longer in sync with the FileVault password. If the passwords are different, the FileVault password won’t bypass the macOS login window. This approach is more complicated and not recommended.

On modern Macs with the T2 security chip, the contents of user partitions are always encrypted. The FileVault password is used to recover the encryption key.

4.2. Restart with FileVault OFF

When FileVault is not enabled, Recovery unlocks the Startup Disk containing macOS without requiring a password. There is no FileVault password to be saved as a temporary login hint.

After macOS starts up the Trusona authorization plugin is invoked and 2 factor authentication will be required to login.


We hope you enjoy using Trusona for the Mac and are here to help.

- The Trusona team


Integrations

Desktop
IAM and SSO
PAM
Productivity
VPN

Guides

Get started guides
Implementation guides
Users guides

SDKs

Mobile SDKs
Server SDKs
Web SDKs

APIs

Authentication Service
ID Proofing Service
Mobile Auth for Browsers Service

TOTP

Business
E-commerce
Finance
Productivity
Social
Gaming
Other