HELP FILE

How do I set up LastPass Workstation MFA for Mac?

    Workstation MFA is a feature that allows LastPass admins to protect their users' workstations with a second layer of security. Once set up, users can log in to their workstations using their macOS user account password, then authenticate by using the LastPass Authenticator app (or YubiKey via the LastPass Authenticator app) for verification.

    Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?
    Restriction: Workstation MFA cannot be used simultaneously with federated login (as federated login only supports multifactor authentication at the identity provider level, and Workstation MFA requires multifactor authentication at the LastPass level).
    Attention: In order to use this feature, users must be synced via the on-premise LastPass AD Connector.

    Account & system requirements

    Attention: It is recommended to set up a Windows or Mac test environment and uncheck the Prevent login when offline setting (which enables offline mode access for workstations) when configuring the installer package. Once you have successfully deployed and used Workstation MFA on a test environment, you can configure and deploy to a production environment.

    End users will be required to have the following:

    • A Mac running either of the following macOS versions with a 64-bit processor required:
      • macOS Big Sur (11.2)
      • macOS Monterey (12)
    • An internet connection with 1 Mbps or better (broadband recommended)
      Note: ICMP is a required protocol used by LastPass to ping lastpass.com to verify end-to-end connectivity. Additionally, communication with lastpass.com is through HTTPS using port 443 with TLS 1.2.
    • An active LastPass Business + Advanced MFA add-on trial or paid user account that has enabled and enrolled the LastPass Authenticator app for multifactor authentication to protect their vault (instructions here)
      Tip: LastPass admins can enable the "Require use of LastPass MFA" general policy to prompt users to set up and enroll the LastPass Authenticator app the next time they log in to LastPass (instructions here).

    What is Workstation MFA?

    Workstation MFA protects users' workstations with a second layer of authentication in addition to entering their local password to sign in. Once set up, users will see a LastPass Workstation MFA icon as their sign-on option. Upon entering their macOS user account password and proceeding to sign in, they are prompted on their mobile device to authenticate via the LastPass Authenticator app (or YubiKey via the LastPass Authenticator app) for verification. Once authenticated, they are signed in to their Mac workstation.

    Step #1: Set up the LastPass AD Connector

    The LastPass AD Connector must be installed and set up to provision your LastPass users, which will provide the user attributes that are needed to locate a user by their machine login name.

    To get started, view Set up the LastPass Active Directory Connector.

    Step #2: End users set up the LastPass Authenticator app

    Once your users are provisioned via the LastPass AD Connector, they must enable and enroll the LastPass Authenticator app to use for multifactor authentication to protect their LastPass vault.

    Tip: LastPass admins can enable the "Require use of LastPass MFA" general policy to prompt users to set up and enroll the LastPass Authenticator app the next time they log in to LastPass (instructions here).

    Instruct your end users to follow the steps to enable and enroll the LastPass Authenticator as their multifactor option for their LastPass vault.

    PLEASE READ BEFORE PROCEEDING!

    Warning: Be sure all your desired users have enrolled the LastPass Authenticator app with their LastPass account before Workstation MFA is installed on their machine – failure to do so will result in the user being locked out of their workstation and unable to log in.

    Step #3: Prepare the Workstation MFA installer package

    Next, you must download the PKG installer package from the new Admin Console, then configure it with your designated integration key and integration secret so that it can be distributed to your users' machines.

    Follow the steps to download and configure the Workstation MFA installer package for Mac.

    Step #4: Distribute the configured installer package

    Once configured, you can distribute the installer package using your organization's preferred deployment methods.

    Tip: You can deploy your configured installer package to an unlimited number of Mac workstations. If desired, you can create separate installer packages for specific groups within your organization (e.g., offices, locations, departments, etc.).

    Setup is complete!

    Congratulations! You successfully deployed LastPass Workstation MFA to your users.

    What to do next

    Related Articles