OneLogin Desktop for Mac enables you to log into your Mac using your OneLogin credentials and use a certificate installed in your keychain to provide authentication when you access your OneLogin portal page and SSO-enabled apps. In other words, you can log in once to your Mac and go straight to your OneLogin portal or your SSO-enabled apps without having to provide credentials again.
To get started with OneLogin Desktop, you must run an installer on your Mac that automatically enables an existing local user account to use your OneLogin credentials or creates a new user account that can use them.
This article is intended for "end users." It includes the following topics:
- System requirements
- Configuring your Mac to support OneLogin Desktop for Mac
- Upgrading your OneLogin Desktop account
- Using your new user account for the first time
- Using your updated user account for the first time
- Changing your password
For administrator documentation, see Managing Macs Using OneLogin Desktop.
- Mac OS X 10.11+
- Mac cannot be joined to an Active Directory domain
- If you enable OneLogin Desktop for an existing account on your Mac, that account cannot be associated with iCloud
- Browsers: Chrome or Safari are required to use the certificate to provide access to the OneLogin portal or SSO-enabled apps without having to reauthenticate
Configuring your Mac to support OneLogin Desktop for Mac
Log in to your Mac using an account with administrator privileges for the machine.
Log out of any other accounts running on your Mac.
Open a browser and log in to OneLogin.
Go to your user Profile page.
On the Profile page's Security tab (which opens by default), go to the OneLogin Desktop for Mac section and click the Download link to get the installer.
Double-click the downloaded OneLogin Desktop installer file.
A new Finder window opens, displaying the OneLogin app.
Open the OneLogin app.
If you see the message, "OneLogin.app can't be opened because it is from an unidentified developer," click OK and go to System Preferences > Security & Privacy to allow OneLogin.app to be opened.
On the General tab, click Open Anyway.
When the installer launches, you'll see the Let's Prepare for Installation page.
If you meet all of the requirements of installation--your battery is charged at least 10% or your computer is plugged in, and you are connected to the internet--you can click the Continue button.
If one of these requirements is not met, a yellow exclamation point will display next to the unmet requirement. If you are not connected to the internet or you don't have sufficient power (your computer isn't plugged in or you don't have at least 10% battery life), then the Continue button will be grayed out.
You must remedy the missing requirement. You do not have to cancel and rerun the installer if you can remedy the missing requirement while the installer is running.
Note. The power requirement exists to protect you from an incomplete installation.
Note. Logging is turned on by default. You can turn it off at any time by clearing the Turn on Logging checkbox, but logging can help your admin if you run into issues during your installation.
On the OneLogin Desktop Terms of Service page, scroll to the bottom of the terms (oh yeah, and read them), then click the I agree button.
When the welcome screen appears, click Start.
At the helper tool prompt, provide the password of the admin account that you are logged in as and click Install Helper.
Enter your domain (the "yourcompany" part of
yourcompany.onelogin.com) and click Next.
The next screen displays your company's OneLogin login screen; enter your OneLogin username and password and click Log In.
Select the Mac account that you want to enable for OneLogin Desktop, and click Next.
From the drop-down, you can:
Select an existing OneLogin Desktop account, in which case you are simply upgrading OneLogin Desktop for that account.
Select an existing user account on your Mac, in which case you are enabling that account for OneLogin Desktop for the first time.
Create a new account and enable it for OneLogin Desktop.
If you already have a OneLogin Desktop account on your Mac, you won't be able to create a new account, but you will be able to enable a different existing account as your OneLogin Desktop account.
Important! If you are enabling an existing account, it cannot use iCloud keychain. If you want to enable OneLogin Desktop for an account that uses iCloud keychain, you must exit the installer and disable iCloud keychain before rerunning the installer.
Important! If you have only one admin account on your Mac, do not enable it for OneLogin Desktop. Your Mac should always have a local admin account that is not enabled for OneLogin Desktop.
Enter the password of the user account that you are enabling for OneLogin Desktop, and click Next.
If your computer uses FileVault for disk encryption, the installer prompts you to enter the FileVault password.
This is usually the password for your current user account. Enter it and click Next.
When the installer displays "You are all set up," click Done.
Upgrading your OneLogin Desktop account
If you already have a OneLogin Desktop account on your Mac, and it was installed using OneLogin Desktop for Mac 2.0.x, and your admin accepted the Automatically push new updates default option on the Devices > OneLogin Desktop page, then your user account will be updated to the new version silently.
If your OneLogin Desktop account was installed using OneLogin Desktop for Mac 1.x, then you must upgrade manually. The easiest way to do this is to select that account on the Select Mac Account page of the latest OneLogin Desktop for Mac installer when you run it. For more information, see Configuring your Mac to support OneLogin Desktop for Mac.
Using your OneLogin Desktop user account for the first time
Log in to the OneLogin Desktop account using your OneLogin password.
If you enabled OneLogin Desktop for an existing local account, the account name will be unchanged.
If you created a new account when you installed OneLogin Desktop, the account name will be your OneLogin user name (usually your email).
Note. We recommend that you log in to the OneLogin Desktop user account before you restart. If, however, you restart your Mac before you log in to your OneLogin Desktop user account for the first time, be aware that FileVault will continue to want your old local account password. Assuming that your Mac uses FileVault, you'll see the login screen twice. Enter the old password on the first login screen. FileVault will run for 10-20 seconds, decrypting your disk, and then the operating system will display the login screen again. Enter the OneLogin password. On subsequent logins, the FileVault and OS passwords will both be your OneLogin password, and you'll just see one login screen, just as you expect. Note that if you log in to your Mac immediately after you install OneLogin Desktop, without restarting, the login process will use your OneLogin credentials from the get-go.
You'll be prompted to sign in to iCloud; you can skip this.
If your admin has given you the ability to skip OneLogin browser authentication when you're logged in to your Mac with your OneLogin credentials, open your browser and go to your OneLogin portal.
The first time you try to authenticate to OneLogin from your browser (whether you are logging in to your OneLogin portal or trying to access an app through OneLogin SSO), you will be prompted to Log in with OneLogin Desktop or accept the OneLogin certificate that was installed, depending on your browser.
In Safari, enter your credentials on the OneLogin login page and click Log in with OneLogin Desktop.
Note. You should only have to click this link once; however, if you clear your browser cache, you will be prompted again.
Note. If you have locally-installed clients (like Slack or RingCentral, for example) that use OneLogin for authentication, Safari can perform a little magic for you that Chrome can't: after you log in to your OneLogin portal using Safari and and click Log in with OneLogin Desktop, Safari will tell Mac OS X that the OneLogin Desktop certificate can be used for local apps that use OneLogin for authentication. It doesn't work for every one of your OneLogin-authenticated desktop apps, but it does work for some.
In Chrome, you will be prompted to select the specific certificate installed by OneLogin Desktop. Select it and click OK.
Note. In Chrome, you will be prompted to accept the certificate each time you restart your browser or clear your browser cache.
Firefox does not allow certificates to be used to authenticate to a third-party like OneLogin; therefore it does not support browser SSO bypass in this release. You must provide your OneLogin authentication credentials in the browser when you access the OneLogin portal login page or apps that use OneLogin SSO.
Changing your password
You cannot change your password on your Mac. You must change it using OneLogin.
To change your password:
Open a browser and log in to your OneLogin portal.
Go to your user Profile page.
Select Change Password.
Enter your current password and your new password
Log out of your Mac.
When you log back in, use your new password.
Who can log into the Mac once OneLogin Desktop is installed?
Only one account can be enabled to log in using OneLogin credentials on a device.
Your device can, however, support multiple accounts that are not managed by OneLogin -- a local admin account for example.
What will happen to my data and settings when the installer is enabling OneLogin Desktop for my existing account?
If you selected an existing local user account to be enabled for OneLogin Desktop, the account remains unchanged except for the password required and the addition of a certificate in the account's keychain.
What happens if I have Desktop SSO enabled for my organization? Will I be logged into the device automatically ?
No, Desktop SSO and OneLogin Desktop for Mac are separate features. Users will still have to enter their credentials when logging into the device.
How do I change my password?
You change the password for your OneLogin-managed account on the Profile page (User menu > Profile) in the OneLogin portal.
What happens if I try to change my password locally, on the device?
If you try to change your password locally, you will see a message telling you that you can't. You must change your password in OneLogin.
What happens after I change my password in OneLogin?
If your device is connected to the internet, then you simply use your new password when you log in. If your device is offline, you must continue to use your old password until you are connected to the internet.
How does multifactor authentication (MFA) work with OneLogin Desktop?
If you are logging in from a trusted device, the certificate functions as the authentication factor, and neither passwords nor MFA (like OneLogin OTP, Duo Security, RSA) are required to access the OneLogin portal or OneLogin-authenticated apps.
How do I add another OneLogin user to my Mac?
In the current version, you can have one OneLogin Desktop account on your Mac enabled to go straight to the OneLogin portal or SSO-enabled apps without having to authenticate using the browser (assuming that your OneLogin administrator has enabled browser login bypass).
Why I am still required to enter my credentials when I access the OneLogin portal from my device?
The ability to bypass the browser login is only available on Safari and Chrome. It also requires that your administrator assign you to a OneLogin user policy that allows it. If you are included in such a policy, you will still be asked for your credentials the first time you log in to the OneLogin portal, and after you have closed your browser or cleared your cache.
If you meet all of the above criteria, and you still can't access the OneLogin portal or SSO-enabled apps without logging in from the browser, then you may have used the installer to enable OneLogin Desktop for a local account that was running while you were performing the installation. Simply log out of the account and log back in, and you should be able to bypass browser login.
Why do I need to select a certificate or click Log in with OneLogin Desktop when I access the OneLogin portal on a trusted device?
When you access the OneLogin portal page for the first time (or after you have cleared your browser cache), the browser needs to know what certificate to use with OneLogin. You tell Safari which certificate to use by clicking Log in with OneLogin Desktop on the OneLogin login page. Chrome shows you the OneLogin certificate and asks you to confirm it.
OneLogin Desktop certificates use the following naming format:
Can I use OneLogin Desktop with FileVault?
Yes, you can use OneLogin Desktop with FileVault. The installer detects whether you use FileVault and configures it to use your OneLogin credentials.
I restarted my Mac after I ran the installer and now I can't log in using my OneLogin credentials. What do I do?
If you opt to enable OneLogin Desktop for an existing local account when you run the installer, and you restart your Mac immediately after you run the installer, then FileVault will want your old local account password the first time you log in. Assuming that your Mac uses FileVault, you'll see the login screen twice. Enter the old password on the first login screen. FileVault will run for 10-20 seconds, decrypting your disk, and then the operating system will display the login screen again. Enter the OneLogin password. On subsequent logins, the FileVault and OS passwords will both be your OneLogin password, and you'll just see one login screen, just as you expect. Note that if you log in to your Mac immediately after you install OneLogin Desktop, without restarting, the login process will use your OneLogin credentials from the get-go.
When I logged in to my updated Desktop account, a dialog popped up saying "The system was unable to unlock your login keychain."
If you use the OneLogin Desktop installer to update an existing OneLogin Desktop 2.0.x account whose keychain password has gotten out of sync with your OneLogin password, then when you log in to your updated OneLogin Desktop account for the first time, your Mac will be unable to unlock the login keychain. This typically happens if you update a OneLogin Desktop account that you haven't used in a long time. Click Update Keychain Password and enter a previous OneLogin password (how old it is depends on when you last used your OneLogin Desktop account). If you are unable to remember the correct previous OneLogin password, click Create New Keychain to create a new keychain. After your next login, OneLogin will sync the keychain password for the new keychain with your current OneLogin password.
When I tried to install OneLogin Desktop, I saw a message telling me that I could not use my local account because it is enabled for iCloud keychain. What do I do?
The Apple iCloud keychain feature can interfere with OneLogin Desktop. Select another account, tell the installer to create a new account, or quit the installation and disable iCloud keychain for the account that you want to enable for Desktop.