HELP FILE

How do I set up LastPass Workstation MFA for Mac?

    Workstation MFA is a feature that allows LastPass admins to protect their users' workstations with a second layer of security. Once set up, users can log in to their workstations using their macOS user account password, then an authentication prompt is sent to their mobile device via the LastPass Authenticator (or YubiKey via the LastPass Authenticator) for verification.

    Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?
    Restriction: Workstation MFA cannot be used simultaneously with federated login (as federated login only supports multifactor authentication at the identity provider level, and Workstation MFA requires multifactor authentication at the LastPass level).
    Attention: In order to use this feature, users must be synced via the on-premise LastPass AD Connector.

    Account & system requirements

    Attention: It is recommended to set up a Windows or Mac test environment and implement the "Offline Mode" feature during the configuration process. Once you have successfully deployed and used Workstation MFA on a test environment, you can configure and deploy to a production environment.

    End users will be required to have the following:

    • A Mac running either of the following macOS versions with a 64-bit processor required:
      • macOS Big Sur (11.2)
      • macOS Monterey (12)
    • An internet connection with 1 Mbps or better (broadband recommended)
      Note: ICMP is a required protocol used by LastPass to ping lastpass.com to verify end-to-end connectivity. Additionally, communication with lastpass.com is through HTTPS using port 443 with TLS 1.2.
    • An active LastPass Business + Advanced MFA add-on trial or paid user account that has enabled and enrolled the LastPass Authenticator for multifactor authentication to protect their vault (instructions here)
      Tip: LastPass admins can enable the "Require use of LastPass MFA" general policy to prompt users to set up and enroll the LastPass Authenticator the next time they log in to LastPass (instructions here).

    What is Workstation MFA?

    Workstation MFA protects users' workstations with a second layer of authentication in addition to entering their local password to sign in. Once set up, users will see a LastPass Workstation MFA icon as their only sign-on option. Upon entering their macOS user account password and proceeding to sign in, they are prompted on their mobile device to authenticate via the LastPass Authenticator (or YubiKey via the LastPass Authenticator) for verification. Once authenticated, they are signed in to their Mac workstation.

    Step #1: Set up the LastPass AD Connector

    The LastPass AD Connector must be installed and set up to provision your LastPass users, which will provide the user attributes that are needed to locate a user by their machine login name.

    To get started, see Set up the LastPass Active Directory Connector.

    Step #2: End users set up the LastPass Authenticator

    Once your users are provisioned via the LastPass AD Connector, they must enable and enroll the LastPass Authenticator to use for multifactor authentication to protect their LastPass vault.

    Tip: LastPass admins can enable the "Require use of LastPass MFA" general policy to prompt users to set up and enroll the LastPass Authenticator the next time they log in to LastPass (instructions here).

    Instruct your end users to follow the steps to enable and enroll the LastPass Authenticator as their multifactor option for their LastPass vault.

    PLEASE READ BEFORE PROCEEDING!

    Warning: All users must enable and enroll the LastPass Authenticator as their multifactor option for their LastPass vault before Workstation MFA is deployed – if this action is not taken beforehand, any user that does not have the LastPass Authenticator set up will be locked out of their workstation and unable to log in.

    Step #3: Prepare the Workstation MFA installer package

    Next, you must download the PKG installer package from the new Admin Console, then configure it with your designated integration key and integration secret so that it can be distributed to your users' machines.

    Follow the steps to download and configure the Workstation MFA installer package for Mac.

    Step #4: Distribute the configured installer package

    Once configured, you can distribute the installer package using your organization's preferred deployment methods.

    Tip: You can deploy your configured installer package to an unlimited number of Mac workstations. If desired, you can create separate installer packages for specific groups within your organization (e.g., offices, locations, departments, etc.).

    Setup is complete!

    Congratulations! You successfully deployed LastPass Workstation MFA to your users.

    What to do next