Remote Users Cannot use Mac after installing Duo MFA

jloesch · ‎09-20-2022

(Originally posted 6 days ago)

Hello all,
Creating a topic here to possibly get some help on an issue we’ve been running into using Duo MFA and macOS.

We are deploying Duo through Jamf and we have no issues using the automated enrollment for Mac users that are in office. Our issue is with the Mac users that work remote. As i understand it by default macOS will not allow you to select or change wifi networks from the login screen. This causes conflicts with Duo to where a user is unable to login to the Mac because it is not connected to the internet and it will block a user from logging in, We have it set to enroll them into offline access as well, but this will not prompt them to do so until after they complete the 1st initial authentication while online.
All of our Macs are on the latest software at the time of writing, 12.5.1 and we are using MacLogon-2.0.0.pkg being installed through a policy in Jamf Pro.

If we install Duo on a Macbook then ship it to a remote user, it is essentially a paper weight that they can’t login to or connect to the internet with.
Has anyone else ran into this issue or found an alternative way of deploying Duo to Macs ?
Any and all help would be greatly appreciated.
Thank you

DuoKristina · ‎09-21-2022

That’s a good question for the community. I don’t have any experience managing Macs myself (other than my own). Hopefully someone else with a fleet of Macs has ideas.

Is it possible to…

Install Duo so that it fails open without internet connectivity
Which lets them log in and connect to their wifi
And you tell them to log out and back in to do an online Duo auth
And then they can do Duo offline setup?

OR

Send them the Mac without Duo
Which lets them log in and connect to their wifi
And once the device is online and reporting to Jamf you push the Duo Mac Logon package to the device
And then they can do an online login and Duo offline setup?

Duo, not DUO.

jloesch · ‎09-21-2022

Thank you for your response,
Sending them the Mac without Duo installed can be done as a last resort. I was just hoping there was a better more efficient method of deploying it.

Specifically talking about Duo, Do you know if there is a way to adjust the settings to allow a user to setup offline access first before the initial online authentication ?

DuoKristina · ‎09-21-2022

Not today; verification of the user’s identity and offline privilege via the online authentication is required before permitting offline setup.

It may be worth submitting a feature request for some kind of depot deployment support. How do I submit a feature request to Duo?.

It’s also pretty shocking that here in 2022 you still can’t configure wireless networks from the macOS login screen!

Duo, not DUO.

STEPHAN BUDACH · ‎09-26-2022

Yeah… Apple is busy wasting our time by changing all sorts of other things around. Like the new System Launcher prefs, which will further clutter and complicate our system preferences, but they just won’t listen to me…

However, I had a ticket opened for a pretty much alike issue, which would arise, if - for what ever reason, someone wouldn’t want to have the DuoMobile app on their iPhone. In that case, even after successfully initiating Duo, one would not be able to login and there’s currently no way around that. I was suggesting to update the MacLogin to hanlde HOTP tokens, which then could be generated by the admin console and given to the user on the phone - after having verified the authenticity of that user, of course. My last info an that was, that support wanted to bring that up with engineering and raise an internal feature request for this.

j.a.duke · ‎03-03-2023

I know this thread is old, but the developer can allow network selection if they want to do the work.

I’ve been testing a product from TwoCanoes, xCred, which allows us to authenticate against our Azure Active Directory. You can, from that login screen, select a wireless network.