Why Might I Have To Log In Twice?
Devices with FileVault enabled will encounter a workflow where end users must log in twice. Apple requires the FileVault window login before the Identity window login. When the FileVault screen is encountered, the device is not connected to the internet and is in a pre-boot state.
At a high level, Identity secures your macOS systems, makes it easy for your users to authenticate against macOS devices, allows for multi-tenant customizability from our web console, allows for tailored designs, simplifies onboarding with just in time account creation, and enforces security in your organization.
If you’re ready to get started with Addigy Identity, check out the following articles:
- How to Enable Identity
- Identity Settings
- Identity User Experience
- How to Configure Microsoft's Azure Active Directory with Identity
- How to Configure Okta with Identity
- How to Configure Google with Identity
User Authentication and On-Boarding Simplified
Identity simplifies users' authentication and onboarding at the macOS login window. With Identity, your users will be able to use the same authentication they use across your environment on their macOS devices. There is no extra configuration on the identity provider side necessary.
The Identity login window is customizable via our web console at the policy level. This means you can deploy a different background and logo, identity provider authentication, and settings for each one of your policies. This helps where different departments want to have their own logo and background on the login window of their machines to create a much more tailored experience for their users. This same idea applies to Addigy organizations that are managing multiple companies, each company will have a different logo, background, and identity provider. This is why Identity makes it easy to customize and deploy different settings via policies.
Just-In-Time User Creation
Identity allows for just-in-time user account creation. Once a user authenticates at the login window Identity automatically creates a local user account with the information that the user's IdP (identity providers) sends back to Identity and Identity attaches the user's identity provider email to the local account's recordName. If the user already has a local account created, Identity makes sure the passwords are synced and automatically signs them right into their accounts so they can right back to work with minimal interruption. If they already have a local account, users can sync their identity provider email to the already existing local account.
Identity acknowledges password resets deployed from the identity provider at the login window level. We understand that in order to keep proper security hygiene we must enforce a password policy that will require the user to reset their password in X amount of days and comply with the established password rules. This is why we seamlessly enforce identity provider level password policies and make it easy for users to be in compliance.
Local User Log In, Refresh, and Settings
At the top right of the Identity window, there are options that can be enabled in the Identity configuration at the policy level.
Local User Log In
The person icon in the top right is enabled when you have the Allow local account credentials at the Addigy Identity login window option selected in the Identity configuration. The person icon allows for local login with established local accounts.
The refresh icon (circle arrow) allows the Identity window to be reset in the event of any slow loading times.
The settings icon (cog/gear) allows the user to revert to the normal macOS login window if the setting is enabled in your Identity configuration, as well as a WiFi switcher.
"Remember Me" or "Don't ask again" Checkbox
You may notice that different IdPs give different variations of the following:
"Don't ask again for 90 days"
"Remember me for 30 days"
At this time, this is not a supported feature within Addigy Identity. If you'd like to see it added, please vote for the feature here.