product icon

Download and configure the Workstation MFA installer for Mac

    As a LastPass admin, get the integration key and integration secret, then download the Workstation MFA installer for Mac and configure it with your designated integration key and integration secret.

    Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?

      Add the Workstation MFA app for Mac.

      1. Log in with your email address and master password to access the new Admin Console at https://admin.lastpass.com.
      2. Go to Applications > MFA Apps.
      3. If you have not previously added MFA apps, click Get started. Otherwise, click Add app in the upper-right navigation.
      4. Select macOS workstations.
      5. Enter a Name for your app.
      6. Click Save & continue.

      Save the integration key and integration secret.

      1. Optional: On another web browser window or tab, you can open your LastPass vault and create a new secure note for saving the integration key and integration secret.
      2. Copy and save the integration key.
      3. Copy and save the integration secret.
        Warning: These two values will be required in configuring the Workstation MFA installer and/or upgrading to new versions in the future. If you do not save the integration secret, you will need to restart the setup process to generate a new integration key and integration secret.
      4. In Advanced settings, select the Username attribute that contains the MFA username used by the the MFA app during the authentication. The value of this attribute can be populated either manually or automatically using either SCIM or the LastPass Active Directory Connector.
        The available attribute values are:
        • ad.samaccountname
        • ad.objectguid
        • email (lastpass account name)

      Download the LastPass Workstation MFA installer.

      1. Click Download the installer.
      2. Save the WorkstationMFAMac.zip file to your desired location (default is ~/Downloads) and unzip it.
        A new folder named "WorkstationMFAMac" opens and contains the following files:
        • Uninstaller.pkg
        • Installer_Unconfigured.pkg
        • configure_wmfa.sh
      3. Back on the "Set up integration" page, select Save & assign users.
      4. In the Assign users & groups window, select Assign users & groups to begin making your selections.
      5. Search for and select your desired users and/or groups, then click Assign.
      6. Click Save & continue > Finish.

      Configure the installer package.

      1. Open the Terminal.app on your Mac.
      2. Execute the following command: 
        cd Downloads/WorkstationMFAMac
        Note: If you extracted the .zip file to a different location than ~/Downloads, then enter that path after cd instead.
      3. Execute the following command: 
        chmod +x configure_wmfa.sh
      4. Execute the following command: 
        ./configure_wmfa.sh Installer_Unconfigured.pkg
      5. Paste the integration key (that you copied in Step #8 above), then hit Enter.
      6. Paste the integration secret (that you copied from Step #9 above), then hit Enter.
      7. When prompted to Enable Offline Mode, choose one of the following:
        • Enter yes if you want allow users to log in to their Mac workstations when no internet connection is present (allowing them to skip MFA after entering their Mac password).
        • Enter no (most secure option) to prohibit users from logging in to their Mac workstations unless there is an internet connection present (does not allow them to skip MFA after entering their Mac password).

        Result: A newly configured installer package is created (in the same directory as Step #11 above) with the name Configured_Installer_<version number>.pkg (e.g., Configured_Installer_1.2.0.pkg).

        Tip: You can deploy your configured installer package to an unlimited number of Mac workstations. If desired, you can create separate installer packages for specific groups within your organization (e.g., offices, locations, departments, etc.).

      Run the installer package.

      1. Choose from the following installation methods:
        Installation Method Instructions
        Silent installation
        1. Open Terminal.app.
        2. Enter the following command: 
          sudo installer -pkg "/Downloads/Configured_Installer_<version number>.pkg -target /
          Note: The <version number> should match the value outlined in the Result of Step #19 above.
        3. When prompted, enter your Mac admin credentials.
        4. Close the Terminal.app window when installation is complete.
        Manual (GUI) installation
        1. Open the Configured_Installer_<version number>.pkg file to launch the setup.
        2. Select Continue > Install.
        3. When prompted, enter your Mac admin credentials.
        4. Select Close when installation is complete.
      2. Reboot your Mac.
    Results: You have configured the Workstation MFA installer for Mac.
    What to do next: Once configured, you can distribute the installer package using your organization's preferred deployment methods.
    Note: Instructions will vary, depending on your preferred distribution method.

    PLEASE READ BEFORE PROCEEDING!

    Warning: Be sure all your desired users have enrolled the LastPass Authenticator app with their LastPass account before Workstation MFA is installed on their machine – failure to do so will result in the user being locked out of their workstation and unable to log in.
    Related Articles