There are two known bugs in macOS 14.0 and later that break the functionality of the Beyond Identity macOS Platform Authenticator, which only occurs when Kandji PassPort is installed and the device is unlocked with a password.
The user might be unlocking their device with a password because:
- the user never setup Touch ID on this device,
- the user is operating the device in clamshell mode and does not have access to the Touch ID sensor, or
- more than 48 hours have passed since the last time the user unlocked their device.
Problem #1: After unlocking the macOS device with a password, the Beyond Identity passkey might show up as invalid in the authenticator and the user will be unable to authenticate.
Solution
The user must delete and re-import their passkey from another device. To have users manually perform this step:
- Download and install or upgrade to the latest Beyond Identity Authenticator (V2.91.1 or later).
- Log out of your account on your macOS device. For more information, click here.
- Log back into your account on the Mac device.
- Open the latest Beyond Identity Authenticator.
- Click About this passkey.
- Click Remove passkey from computer and confirm the removal.
The Welcome to Beyond Identity screen appears.
- On the Welcome screen, click Next.
- On the Set up your devices screen, click Get Started. You are prompted to enter a 9-digit code.
- Perform one of the following steps:
- If you have the passkey installed on another device (e.g., mobile).
- Open the authenticator on the other device and if needed, select the passkey that was used by your Mac device.
- Click Set up other devices.
A screen appears with a QR code and 9-digit code. - Scan the QR code or copy the 9-digit code and paste it into the Enter 9-digit code screen on the Mac device.
- If you do not have the authenticator installed on another device, contact your IT administrator for a new code.
- If the user was using commit signing, they will have to set it up again.
- If you have the passkey installed on another device (e.g., mobile).
Problem #2: After the user has re-imported their passkey from another device, as described in solution #1, and again unlocked their device with a password, they might be unable to authenticate with a password. The OS will prompt the user for their password twice and then fail.
Solution: The MDM administrator must execute the following command on all devices as root:
/Applications/Beyond\ Identity.app/Contents/Resources/BIConfigure –install-auth-right
This command installs a new right into the authorization database, which will be used to perform password authentication when biometric authentication is not available, to work around the macOS bug when Kandji PassPort is present. This method of performing OS verification of the user via password is no less secure than the previous method. At no point in time does the macOS authenticator have access to the user’s password. The operating system is still performing the OS verification and returns success/failure back to the authenticator.
This authorization right is not needed on systems that do not have Kandji PassPort installed.
Details of both bugs and how to reproduce them can be found in the following document.
Beyond Identity encourages all customers of Kandji PassPort to reach out to Kandji support and ask them to submit these bugs to Apple through the developer feedback program.
Comments
0 comments
Please sign in to leave a comment.