Recent browser changes impact enforcement of Duo operating systems policy on macOS

Updated May 14, 2021 with additional information.

Hello everyone,

Recent updates to Chrome, Firefox, Safari, and Microsoft Edge Chromium impact the behavior of Duo’s operating systems policy for macOS in a way you may not expect.

What changed?

Chrome, Firefox, Safari, and Microsoft Edge Chromium recently froze the reported version for macOS 11.x.x devices at 10.15.7.

Because of this change, Duo implemented a feature with D215 (released May 6 to 13, 2021) to prevent users from being blocked by OS policy if they are authenticating from browsers that we know have frozen their reported versions for macOS 11.x.x.

This change impacts the following browser versions:

  • Chrome version 90.0.4430 or greater
  • Safari version 14.0.2 or greater
  • Firefox 87.0 or greater, or any older version that reports macOS 11.x.x as 10.16
  • Microsoft Edge Chromium 90.0.818 or greater

Suggested solutions

To enforce a policy of macOS 11.0.0 or newer as the most up-to-date OS, the recommended solution is to provision the Duo Device Health application, included in Duo Access and Duo Beyond editions.

On devices running the Device Health app, OS policy is enforced based on the OS version reported directly by the device rather than the browser’s user agent string.

Note: Windows 10 already requires the use of the Device Health application to get finer version control due to the fact that a browser agent provides very limited information about the Windows 10 version.