HELP FILE
How do I set up LastPass Workstation MFA for Mac?
Workstation MFA is a feature that allows LastPass admins to protect their users' workstations with a second layer of security. Once set up, users can log in to their workstations using their macOS user account password, then an authentication prompt is sent to their mobile device via the LastPass Authenticator (or YubiKey via the LastPass Authenticator) for verification.
Account & system requirements
End users will be required to have the following:
- A Mac running either of the following macOS versions with a 64-bit processor required:
- macOS Big Sur (11.2)
- macOS Monterey (12)
- An internet connection with 1 Mbps or better (broadband recommended)
Note: ICMP is a required protocol used by LastPass to ping lastpass.com to verify end-to-end connectivity. Additionally, communication with lastpass.com is through HTTPS using port 443 with TLS 1.2.
- An active LastPass Business + Advanced MFA add-on trial or paid user account that has enabled and enrolled the LastPass Authenticator for multifactor authentication to protect their vault (instructions here)
Tip: LastPass admins can enable the "Require use of LastPass MFA" general policy to prompt users to set up and enroll the LastPass Authenticator the next time they log in to LastPass (instructions here).
What is Workstation MFA?
Workstation MFA protects users' workstations with a second layer of authentication in addition to entering their local password to sign in. Once set up, users will see a LastPass Workstation MFA icon as their only sign-on option. Upon entering their macOS user account password and proceeding to sign in, they are prompted on their mobile device to authenticate via the LastPass Authenticator (or YubiKey via the LastPass Authenticator) for verification. Once authenticated, they are signed in to their Mac workstation.
Step #1: Set up the LastPass AD Connector
The LastPass AD Connector must be installed and set up to provision your LastPass users, which will provide the user attributes that are needed to locate a user by their machine login name.
To get started, see Set up the LastPass Active Directory Connector.
Step #2: End users set up the LastPass Authenticator
Once your users are provisioned via the LastPass AD Connector, they must enable and enroll the LastPass Authenticator to use for multifactor authentication to protect their LastPass vault.
Instruct your end users to follow the steps to enable and enroll the LastPass Authenticator as their multifactor option for their LastPass vault.
PLEASE READ BEFORE PROCEEDING!
Step #3: Prepare the Workstation MFA installer package
Next, you must download the PKG installer package from the new Admin Console, then configure it with your designated integration key and integration secret so that it can be distributed to your users' machines.
Follow the steps to download and configure the Workstation MFA installer package for Mac.
Step #4: Distribute the configured installer package
Once configured, you can distribute the installer package using your organization's preferred deployment methods.
Setup is complete!
Congratulations! You successfully deployed LastPass Workstation MFA to your users.