Last updated: January 5, 2026
This article lists the operating systems and versions supported by the Beyond Identity Authenticator, minimum system requirements, and deployment prerequisites that IT administrators should review before rollout.
Table of Contents
Quick Support Matrix
| PLATFORM | SUPPORTED OS VERSIONS | AUTHENTICATOR VERSION SUPPORT | NOTES |
|---|---|---|---|
| Windows | Windows 10 (build 18363 and later), Windows 11 | 2.98.1 and later | 64-bit only; .NET framework embedded in installer; review deployment prerequisites. |
| macOS | macOS 14, 15, 26 | 2.98.1 and later | Review deployment prerequisites. |
| iOS / iPadOS | iOS/iPadOS 26 | 2.98.1 and later | iPhone and iPad supported. |
| Android | Android 12 (API 32), 13 (API 33), 14 (API 34) | 2.98.2 and later | — |
| Linux | Official: Debian/Ubuntu (v24.04, 22.04, 20.04); Unofficial: RPM (RHEL/CentOS) | — | See Linux install guide; refer back here for versions. |
End of Life Policy: Beyond Identity does not currently publish formal end-of-life (EOL) dates for operating systems or Authenticator versions. When a platform or version is no longer supported, it will be removed from this page. Administrators should ensure devices are kept on the supported OS versions and Authenticator releases listed above.
Platform Details and Requirements
Windows
OS version | Windows 10 (build 18363 and later), Windows 11 |
Architecture | 64-bit and ARM64 |
.NET | Embedded in the installer |
Processor | Capable of running supported OS versions |
Other | Review deployment prerequisites and allow-list BI processes. Windows requires TPM 1.2 for basic authentication, and TPM 2.0 for Windows Desktop Login. |
macOS
OS version | macOS 14, 15, 26 |
Other | Review deployment prerequisites and allow-list BI processes. |
iOS / iPadOS
OS version | iOS/iPadOS 26 |
Android
OS version | Android 12 (API 32), 13 (API 33), 14 (API 34) |
Linux
| Distributions | Official: Debian/Ubuntu Unofficial: RPM (RHEL/CentOS) |
| Notes | Refer to installer article for steps and caveats; supported versions listed on this page. |
Authenticator Version Support
Minimum supported Authenticator versions:
- Windows, macOS / iOS /: 2.98.1 and later
- Android: 2.98.2 and later
Tip: For latest hot-fixes and feature updates, see the Authenticator release notes.
Deployment Prerequisites
Before deploying the Beyond Identity Authenticator at scale, administrators must ensure that endpoint security tools, firewalls, and device policies allow the app to run without interference.
Allow-Listed Processes (Windows and macOS)
The following processes should be allow-listed in endpoint detection and antivirus tools:
BeyondIdentity.exe(Windows)BeyondIdentityViewHelper
.exe(Windows)BIService.exe (Windows)
Beyond Identity.app(macOS)com.beyondidentity.*background services (macOS)
Code Signing and Team Identifiers
To validate software integrity, ensure these identifiers are recognized:
macOS Team ID:
BZA6SZ8XVQWindows Publisher:
Beyond Identity, Inc.
Network Requirements
The Authenticator must be able to reach Beyond Identity’s cloud endpoints. Ensure the following domains and subdomains are allow-listed in firewalls and proxies:
*.beyondidentity.com*.byndid.com
Security Tool Compatibility
Some endpoint security agents may require exclusions for Beyond Identity processes to prevent interference with authentication flows. Consult your EDR/AV documentation for configuring exceptions.
Deployment Considerations by MDM Platform
The Beyond Identity Platform Authenticator (PA) can be deployed using common MDM solutions such as Microsoft Intune, Jamf, and Kandji. Because the PA performs critical security and enrollment functions, the timing and method of deployment directly affect user onboarding and update behavior.
This section outlines the supported deployment methods and important considerations for each MDM platform.
General Requirements
Regardless of MDM platform:
The Platform Authenticator must be installed after a local user account is created.
Installing the PA prior to user creation (for example, during device pre-provisioning via Win32) prevents the application from updating correctly.The Platform Authenticator must be deployed as a standard application package, not a pre-login or pre-provisioned package.
Automatic updates require a supported installation path.
Unsupported pre-provisioned Win32 installations will not receive updates without manual IT intervention.
Microsoft Intune
Recommended: Line of Business (LOB) Deployment
The preferred method for Windows deployment is Intune Line of Business (LOB) installation using the native .msi package.
Benefits
Installs after user account creation
Preserves automatic update functionality
Provides the most consistent experience for first-time passkey enrollment
Considerations
Installation timing can vary based on device enrollment, policy load, and network conditions.
Admins should be aware that the PA may not be available immediately when the user logs in for the first time.
Not Recommended: Win32 (Intune WIN) Deployment
Intune Win32 packaging is not supported for pre-provisioning and is not recommended for managed Windows deployments.
Limitations
Win32 deployments occur before the local user account is created
This breaks the PA’s automatic update mechanism
Requires manual updates by IT for every release
The PA package (~400 MB) often exceeds customer SLAs for pre-provisioned app size
Pre-provisioning may lead to passkey enrollment failures, as the app may not be ready when needed
Outcome
Customers using Win32 for pre-provisioned deployments should expect degraded functionality and inconsistent onboarding flows.
Jamf (macOS)
Jamf deployment using the Beyond Identity macOS package is supported, provided installation occurs after the user account is created on the device.
Benefits
Supports normal update behavior
Fully compatible with macOS MDM workflows
Considerations
As with Intune, installation timing can vary depending on policy and network load
If the PA installs too late in the onboarding process, the user may attempt passkey creation before the application is available
Kandji (macOS)
Kandji deployment is also supported when using the standard macOS package and allowing installation to occur post-login.
Benefits
Normal update behavior is preserved
Integration fits within typical Kandji Blueprint workflows
Considerations
Device variability during enrollment may cause the PA to install later than expected
Admins should ensure initial passkey enrollment happens only after the PA is confirmed installed
iOS and Android
On iOS and Android, the Platform Authenticator is delivered through the App Store / Play Store.
MDM systems may enforce installation, but:
Installation timing does not impact passkey creation
Updates are managed through the associated app store
No special deployment pathways or constraints apply beyond standard mobile MDM policy
Summary of Recommendations
Platform | Supported? | Recommended Method | Not Recommended | Key Notes |
|---|---|---|---|---|
Windows (Intune) | Yes | LOB | Win32 | Pre-provisioning breaks updates; package too large |
macOS (Jamf) | Yes | Standard package post-login | Pre-login / pre-user install | Install must occur after user account creation |
macOS (Kandji) | Yes | Standard package post-login | Pre-login workflows | Ensure PA is installed before passkey enrollment |
iOS/Android | Yes | App Store / Play Store | N/A | No special constraints |
Related Resources
Changelog (for this article)
Aug 29, 2025: Consolidated system requirements, supported OS versions, Authenticator version support, and deployment prerequisites into one unified article.
Oct 7, 2025: Updated Authenticator version numbers for all supported platforms.
Oct 22, 2025: Updated macOS and iPad/iOS versions supported. Also, updated the macOS Team ID.
Nov 19, 2025: Added information on deployments via Intune, Jamf, and Kandji.