Set up LastPass Workstation MFA for Mac
Workstation MFA is a feature that allows LastPass admins to protect their users' workstations with a second layer of security. Once set up, users can log in to their workstations using their macOS user account password, then authenticate by using the LastPass Authenticator app (or YubiKey via the LastPass Authenticator app) for verification.
Step #1: Review account and system requirements
Review Workstation MFA for Mac account and system requirements for both LastPass admins and end users.
- An active LastPass Business + Advanced MFA add-on trial or paid account with end users synced to the LastPass AD Connector, which is an on-premise active directory sync tool
Important: End users can be created and managed using another service provider, however, LastPass admins must sync users with the on-premise LastPass AD Connector in order to use Workstation MFA.
For end users:
- A Mac running either of the following macOS versions with a 64-bit processor required:
- macOS Big Sur (11.2)
- macOS Monterey (12)
- An internet connection with 1 Mbps or better (broadband recommended)
Note: ICMP is a required protocol used by LastPass to ping lastpass.com to verify end-to-end connectivity. Additionally, communication with lastpass.com is through HTTPS using port 443 withTLS 1.2.
- An active LastPass Business + Advanced MFA add-on trial or paid user account that has enabled and enrolled the LastPass Authenticator app for multifactor authentication to protect their vault (instructions here)
Tip: LastPass admins can enable the "Require use of LastPass MFA" general policy to prompt users to set up and enroll the LastPass Authenticator app the next time they log in to LastPass (instructions here).
Step #2: Set up the LastPass AD Connector
The LastPass AD Connector must be installed and set up to provision your LastPass users, which will provide the user attributes that are needed to locate a user by their machine login name.
To get started, view Set up the LastPass Active Directory Connector.
Once the LastPass AD Connector has been set up and configured, return to this setup guide and proceed to Step #3 below.
Step #3: End users enroll the LastPass Authenticator app
Once your users are provisioned and synced with the LastPass AD Connector, they must enable and enroll the LastPass Authenticator app to use for multifactor authentication to protect their LastPass vault.
For this reason, we recommend that LastPass admins add the "Require any MFA option after grace period" general policy and assign these Workstation MFA users. When configuring the policy, you can specify the number of days your users have before they are required to enable and enroll the LastPass Authenticator app. This allows time for admins to prepare communications about these upcoming required changes to their users before Workstation MFA is installed/deployed.
- In the new Admin Console, add the "Require any MFA option after grace period" general policy as follows:
- Go to .
- Under Settings, click Edit policy settings.
- In the "Value" field, enter the number of days before multifactor authentication is required for your users. If desired, enter information into the "Notes" field.
- Select Save changes.
- Under Users, click Edit policy users and assign your desired users/groups.
- Select Save changes.
- You can notify your users that they will be required to enable and enroll the LastPass Authenticator app in their LastPass account before Workstation MFA is set up for their workstations.
- Review the LastPass Authenticator app enrollment status of your Workstation MFA users by doing the following:
- Go to .
- View the Enabled multifactor column for each user to confirm the LastPass Authenticator app is listed.
Troubleshooting: For those users still not enrolled, you can remind them that upon the end of their grace period they will be prompted to enroll upon their next login to LastPass.
- Before the end of the grace period, confirm that all Workstation MFA users have enabled the LastPass Authenticator app before proceeding to the next step in this process (otherwise those users will be locked out of their workstation).
Add the policy.
Communicate upcoming changes and requirements.
Confirm user enrollment.
PLEASE READ BEFORE PROCEEDING!
Step #4: Prepare the Workstation MFA installer package
Next, you must download the PKG installer package from the new Admin Console, then configure it with your designated integration key and integration secret so that it can be distributed to your users' machines.
Follow the steps to download and configure the Workstation MFA installer package for Mac.
Step #5: Distribute the configured installer package
Once configured, you can distribute the installer package using your organization's preferred deployment methods.
Setup is complete!
Congratulations! You successfully deployed LastPass Workstation MFA to your users.