Enterprise Connect

Install Enterprise Connect Mac Workstation Authentication

Run the following three steps to install the Enterprise Connect Mac Workstation Authentication:

  1. Prepare for installation

  2. Install the Enterprise Connect Mac Workstation Authentication

  3. Onboard local users

Prepare for installation

You need two files from the download to install Enterprise Connect Mac Workstation Authentication:

  • WorkstationAuthenticationForMac.pkg: The Mac installer file.

  • WorkstationAuthenticationForMac.xml: The configuration file for the installation.

For successful installation, you must store these files in the same folder and have the same name (with the file type differing).

In Enterprise Connect Mac Workstation Authentication, you have two options for multi-factor authentication (MFA):

  • Push notifications using the ForgeRock Authenticator application.

  • An Open Authorization (OATH) one-time password (OTP) provided by the ForgeRock Authenticator application.

You can only configure one of the MFA methods to use with Enterprise Connect Mac Workstation Authentication.

Configure the XML file

Before you can install Enterprise Connect Mac Workstation Authentication, you must configure the XML file. The XML file includes details about your Ping Identity environment.

To configure the XML file:

  1. Open WorkstationAuthenticationForMac.xml.

  2. At a minimum, fill out the required fields server, realm, and tree.

  3. Save the file.

Parameters in the XML file
Parameter Description

server

Required. Enter the URL of your Ping Identity authentication server.

For example, https://test.forgerock.com/am.

You must include the path to AM in the URL.

realm

Required. Enter the name of the Ping Identity realm to authenticate to.

For example, alpha.

Don’t add a leading / when you define the realm for Enterprise Connect Mac Workstation Authentication.

tree

Required. The preconfigured journey to use for Enterprise Connect Mac Workstation Authentication For example, mac-otp.

Learn more in create push or journey or create an OTP journey.

otpdigits

(Optional) Use this field only if you want your users to use the MFA OTP method.

Enter a value in this field to configure the OTP method for your users. Leave it blank to use the MFA push notification method.

Specify the number of digits for the OTP verification code. You must enter a value to use the OTP journey successfully.

You must configure the appropriate journey to use this method.

Ensure that the number you put here matches the number you configure in the One Time Password Length field of the OATH Registration node. You use this node when your end users preregister. Learn more in Prerequisites.

credentials

(Optional) Determines whether the system sends user credentials to Ping Identity.

You must configure the journey to support the validation of the user credentials.

To enable sending credentials, set the value to true.

To disable the sending of credentials, set the value to false.

ssourl

(Optional) Enter the URL of the journey that checks for a session and redirects users to an end-user portal after they sign on to their Mac. If you leave this parameter empty, no browser opens after login by default.

For example, the URL to the journey can look like: https://test.forgerock.com/enduser/am/XUI/?realm=alpha&authIndexType=service&authIndexValue=wks-sso&ForceAuth=true.

The Success URL node in that journey can look like: https://test.forgerock.com/enduser/?realm=alpha#/dashboard.

Learn more in the SSO journey.

ssobrowser

(Optional) Determines the browser that opens when you define the ssourl parameter.

Select one of the following values:

  • system: Uses the default browser configured on the machine.

  • firefox

  • safari

  • chrome

Configure the ssourl and ssobrowser parameters if you want an SSO portal to automatically open on the end user’s machine upon sign on.

The following example displays the completed XML file:

<?xml version="1.0" encoding="UTF-8"?>
<octopus>

    <!-- ********************************************************************************** -->
    <!-- ***  REQUIRED                                                                  *** -->
    <!-- ********************************************************************************** -->

    <server>https://test.forgerock.com/am</server>
    <realm>alpha</realm>
    <tree>wks-push</tree>
    <otpdigits></otpdigits>
    <credentials>true</credentials>


    <!-- ********************************************************************************** -->
    <!-- ***  OTHERS                                                                    *** -->
    <!-- ********************************************************************************** -->
    <!--
        Logging (default: 'info')

        Controls the number and verbosity of logging messages written by Octopus for Mac.

        The valid values for this setting are (in order of increasing verbosity):
            * none
            * error
            * info
            * debug

        Note that no passwords, encryption keys or any other secrets are ever written in
        any of the above logging levels.
    -->
    <logging>info</logging>


    <!-- ********************************************************************************** -->
    <!-- ***  SINGLE SIGN ON                                                            *** -->
    <!-- ********************************************************************************** -->

    <ssourl>https://test.forgerock.com/am/XUI/?realm=alpha&amp;authIndexType=service&amp;authIndexValue=wks-sso&amp;ForceAuth=true</ssourl>
    <ssobrowser>safari</ssobrowser>

</octopus>

Install Enterprise Connect Mac Workstation Authentication

After you configure the XML file, the Enterprise Connect Mac Workstation Authentication is ready for installation.

To install the client on your user’s workstation, utilize the following options:

  • As an administrator, manually install the client on the machine.

  • Utilize a deployment tool for Macs, such as Just Another Management Framework (Jamf). Ping Identity recommends this method for large deployments.

The steps that follow explore the manual configuration of Enterprise Connect Mac Workstation Authentication on a machine. When using a deployment tool, adjust the steps and settings accordingly.

To install Enterprise Connect Mac Workstation Authentication:

  1. As an Administrator, run the WorkstationAuthenticationForMac.pkg file to open the installer.

  2. On the Introduction page, click Continue.

  3. On the Installation Type page, click Install.

    The system might prompt you for credentials.

  4. Click Ok to allow the software to access the required locations. You’re prompted to do this twice.

  5. A modal prompts the signed-on user to enable Enterprise Connect Mac Workstation Authentication. To configure it now, click Enable Workstation Authentication. Learn more in Onboard local users.

    To set up later for yourself (or another user), click Not Now.

  6. Click Close to exit the installation setup.

  7. Verify the installation by locating the Ping Identity icon in the top right of the menu bar. This shows that the Enterprise Connect Mac Workstation Authentication is running in the background.

    To access Enterprise Connect Mac Workstation Authentication settings at any time, click the logo and click Open Workstation Authentication Preferences.

    Enterprise Connect Mac Workstation Authentication icon running in background
After you enable Enterprise Connect Mac Workstation Authentication, the system prompts the end user to set up Enterprise Connect Mac Workstation Authentication when logging into their machine.
Enterprise Connect Mac Workstation Authentication installation/configuration checklist

  • Download and install the binaries from Backstage (you must be logged in).

  • Install the Mac client on end users machines.

  • (Optional). Onboard and enable local users on their Mac machine.

  • (Optional). Enable Offline OTP to allow users to sign on to their Mac when not connected to the internet.

  • Verify and test with a test user.