- Jamf Nation Community
- Products
- Jamf Pro
- Okta Device Access - Passwordless
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-13-2025 08:46 AM
We currently use Okta SSO with Jamf Pro. Filevault is turned on for all our devices, which requires the initial local login. Then the next login is network credentials with SSO. Meaning, our users have to login twice. This works well, however we recently purchased Okta Device Access with the understanding that we could eliminate all logins for a passwordless user experience. I've been researching the ODA setup using Okta as a SCEP auth. I've read this would require all devices to be re-enrolled? Has anyone gotten this to work with Jamf Pro to be passwordless? I've love to hear your experiences. Thanks!
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-13-2025 12:06 PM
macOS 15 doesn’t support true passwordless accounts. You can mimic passwordless behavior at the login window, but the account still has a password underneath, this is required for things like SecureToken and FileVault.
Your best bet is to reach out to Okta for step-by-step documentation. You’ll likely need to deploy something like Okta Verify and a set of configuration profiles to enable the integration. There will probably be a user-driven registration flow, which may feel like an enrollment but is handled entirely on the Okta side.
Reply
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-13-2025 10:51 AM
Are you looking at Jamf Pro to be passwordless or macOS to be passwordless? I'm assuming you are intending macOS.
MacOS 15 does support Smart Card Authentication, but a password still exists for the account. I don’t see why a device would need to be re-enrolled so long as it was originally enrolled with Automated Device Enrollment. MacOS 26 has some newness with authentication, but that is still in early beta.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-13-2025 10:57 AM
Yes, looking for passwordless on the Mac itself via Okta Device Access. Need to know if it's possible, if so, best way to configure it. I'm getting conflicting information. Some say Passwordless on MacOS is impossible, but Okta says it's possible. Need some direction, as I need to get a POC spun up soon. Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-13-2025 12:06 PM
macOS 15 doesn’t support true passwordless accounts. You can mimic passwordless behavior at the login window, but the account still has a password underneath, this is required for things like SecureToken and FileVault.
Your best bet is to reach out to Okta for step-by-step documentation. You’ll likely need to deploy something like Okta Verify and a set of configuration profiles to enable the integration. There will probably be a user-driven registration flow, which may feel like an enrollment but is handled entirely on the Okta side.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-13-2025 07:13 PM
These are some great talks about Platform SSO and how each IdP integrates its solution into macOS. But @AJPinto is correct. All Platform SSO solutions for macOS 13-15 require a PW to unlock filevault. Similar to how an iPhone requires a passcode after restart.
https://www.youtube.com/watch?v=uAjyZyHHJXc&t=1512s
https://www.youtube.com/watch?v=mkro_6BzOiY&t=332s
