Set up LastPass Workstation MFA for Mac

Workstation MFA is a feature that allows LastPass admins to protect their users' workstations with a second layer of security. Once set up, users can log in to their workstations using their macOS user account password, then authenticate by using the LastPass Authenticator app (or YubiKey via the LastPass Authenticator app) for verification.

Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?

Restriction: Workstation MFA cannot be used simultaneously with federated login (as federated login only supports multifactor authentication at the identity provider level, and Workstation MFA requires multifactor authentication at the LastPass level).

Attention: In order to use this feature, users must be synced via the on-premise LastPass AD Connector.

Step #1: Review account and system requirements

Review Workstation MFA for Mac account and system requirements for both LastPass admins and end users.

Attention: It is recommended to set up a Windows or Mac test environment and uncheck the Prevent login when offline setting (which enables offline mode access for workstations) when configuring the installer package. Once you have successfully deployed and used Workstation MFA on a test environment, you can configure and deploy to a production environment.

For LastPass admins:

An active LastPass Business + Advanced MFA add-on trial or paid account with end users synced to the LastPass AD Connector, which is an on-premise active directory sync tool
Important: End users can be created and managed using another service provider, however, LastPass admins must sync users with the on-premise LastPass AD Connector in order to use Workstation MFA.

For end users:

A Mac running either of the following macOS versions with a 64-bit processor required:
- macOS Big Sur (11.2)
- macOS Monterey (12)
An internet connection with 1 Mbps or better (broadband recommended)
Note: ICMP is a required protocol used by LastPass to ping lastpass.com to verify end-to-end connectivity. Additionally, communication with lastpass.com is through HTTPS using port 443 withTLS 1.2.
An active LastPass Business + Advanced MFA add-on trial or paid user account that has enabled and enrolled the LastPass Authenticator app for multifactor authentication to protect their vault (instructions here)
Tip: LastPass admins can enable the "Require use of LastPass MFA" general policy to prompt users to set up and enroll the LastPass Authenticator app the next time they log in to LastPass (instructions here).

Step #2: Set up the LastPass AD Connector

The LastPass AD Connector must be installed and set up to provision your LastPass users, which will provide the user attributes that are needed to locate a user by their machine login name.

To get started, view Set up the LastPass Active Directory Connector.

Once the LastPass AD Connector has been set up and configured, return to this setup guide and proceed to Step #3 below.

Step #3: End users enroll the LastPass Authenticator app

Once your users are provisioned and synced with the LastPass AD Connector, they must enable and enroll the LastPass Authenticator app to use for multifactor authentication to protect their LastPass vault.

Warning: It is required that all users enable and enroll the LastPass Authenticator app for multifactor authentication in their LastPass account before Workstation MFA is set up for their machine. Any user who fails to do so will be locked out and unable to sign in to their workstation.

For this reason, we recommend that LastPass admins add the "Require any MFA option after grace period" general policy and assign these Workstation MFA users. When configuring the policy, you can specify the number of days your users have before they are required to enable and enroll the LastPass Authenticator app. This allows time for admins to prepare communications about these upcoming required changes to their users before Workstation MFA is installed/deployed.

About this task: To enable the grace period policy and check user enrollment status for the LastPass Authenticator app, do the following:

Add the policy.

In the new Admin Console, add the "Require any MFA option after grace period" general policy as follows:
1. Go to Policies > General policies > New policy > Require any MFA option after grace period > Continue.
2. Under Settings, click Edit policy settings.
3. In the "Value" field, enter the number of days before multifactor authentication is required for your users. If desired, enter information into the "Notes" field.
4. Select Save changes.
5. Under Users, click Edit policy users and assign your desired users/groups.
6. Select Save changes.

Communicate upcoming changes and requirements.

You can notify your users that they will be required to enable and enroll the LastPass Authenticator app in their LastPass account before Workstation MFA is set up for their workstations.

Confirm user enrollment.

Review the LastPass Authenticator app enrollment status of your Workstation MFA users by doing the following:
1. Go to Users > Users.
2. View the Enabled multifactor column for each user to confirm the LastPass Authenticator app is listed.
Troubleshooting: For those users still not enrolled, you can remind them that upon the end of their grace period they will be prompted to enroll upon their next login to LastPass.
Before the end of the grace period, confirm that all Workstation MFA users have enabled the LastPass Authenticator app before proceeding to the next step in this process (otherwise those users will be locked out of their workstation).

Results: All desired users have successfully enrolled the LastPass Authenticator app with their LastPass account.

What to do next:

PLEASE READ BEFORE PROCEEDING!

Warning: Be sure all your desired users have enrolled the LastPass Authenticator app with their LastPass account before Workstation MFA is installed on their machine – failure to do so will result in the user being locked out of their workstation and unable to log in.

Step #4: Prepare the Workstation MFA installer package

Next, you must download the PKG installer package from the new Admin Console, then configure it with your designated integration key and integration secret so that it can be distributed to your users' machines.

Follow the steps to download and configure the Workstation MFA installer package for Mac.

Step #5: Distribute the configured installer package

Once configured, you can distribute the installer package using your organization's preferred deployment methods.

Tip: You can deploy your configured installer package to an unlimited number of Mac workstations. If desired, you can create separate installer packages for specific groups within your organization (e.g., offices, locations, departments, etc.).

Setup is complete!

Congratulations! You successfully deployed LastPass Workstation MFA to your users.

What to do next

You can send your end users the following instructions: