Apple @ Work is exclusively brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional-grade platform all the solutions necessary to seamlessly and automatically deploy, manage & protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
Over the years, enterprises have increasingly leveraged Apple’s Identity Provider (IdP) integration for the macOS login window to create a better experience for employees while simultaneously enhancing security. If you had told me ten years ago that another company could ‘take over’ the macOS login window, I would have said that pigs must be flying. In the enterprise, identity is everything. The rise of SaaS (Software as a Service) tools has only amplified the need for a robust and unified identity system.
About Apple @ Work: Bradley Chambers managed an enterprise IT network from 2009 to 2021. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise grade Wi-Fi, 1000s of Macs, and 1000s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.
As organizations continue to adopt various cloud-based applications, managing access and ensuring security becomes critical. This is where an IdP comes in—acting as a central point of authentication and access control, it creates a secure and seamless experience for both IT departments and end users. In many organizations, the chosen IdP essentially becomes the ‘operating system’ for the entire company, dictating how users interact with the corporate ecosystem. However, despite these advantages, a significant challenge remains: managing the password for an IdP with password manager access can sometimes conflict with the desired simplicity and efficiency of the login experience. This balance between security and convenience is something many enterprises struggle to balance.
How most people log in to their IdP on the desktop
Let’s talk about how people typically log in to their IdP on the Mac. Most employees rely on password managers to handle their login credentials, and they unlock it using a password they can remember as well as Touch ID. These tools spit out long, complex passwords that are impossible to remember without some help. The idea is simple: the stronger the password (and it is unique), the better the security. But there’s a trade-off—what you gain in security, you lose in convenience. Without my password manager, I don’t know how to log in to almost all websites. I need my password manager to balance the security and usability of SaaS tools. I also use my password manager built-in two-factor authentication feature to handle that aspect as well.
My password manager’s password is long, but I have memorized it. It’s 1 password (that isn’t used anywhere else, and pun intended) to unlock them all. Without my password manager, I am sent back to dial-up days regarding functionality.
The problem with Touch ID on macOS after a reboot with IdP integration
Now, let’s talk about Touch ID on macOS. It’s a fantastic feature—until you reboot your Mac. After a reboot, Touch ID is temporarily out of commission, and you’re back to typing in your password for the first login. This happens because the system needs to re-verify Touch ID and the secure enclave, which stores your fingerprint data. It’s simply how the system is designed, but it’s also a pain. I know my macOS login password, so it’s not a problem. But what happens when your IdP (and it’s long password) take over the login experience? You must either pull out your iPhone to manually type it in or move your IdP password to something you can memorize. Neither is ideal from a usability or security point of view.
What should Apple do?
Ideally, we shouldn’t have to type in our macOS login password after a reboot, but that’s not the reality. Touch ID should always be available. This isn’t possible today, so Apple would need to build it into future hardware.
In the short term, another option could be a QR code that you can scan with your smartphone to log in—easy, fast, and secure. Imagine rebooting your Mac after a macOS update, having the option to enter your login information from your IDP, or using the verification iPhone app on your IDP to approve a login by scanning a QR code. You can keep your long (and unique) IDP password and pair it with a seamless login experience, but then not need to type it in manually to enable Touch ID.
Apple @ Work is exclusively brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional-grade platform all the solutions necessary to seamlessly and automatically deploy, manage & protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
FTC: We use income earning auto affiliate links. More.