Who can log into the Mac once OneLogin Desktop is installed?
Only one account can be enabled to log in using OneLogin credentials on a device.
Your device can, however, support multiple accounts that are not managed by OneLogin -- a local admin account for example.
What will happen to my data and settings when the installer is enabling OneLogin Desktop for my existing account?
If you selected an existing local user account to be enabled for OneLogin Desktop, the account remains unchanged except for the password required and the addition of a certificate in the account's keychain.
What happens if I have Desktop SSO enabled for my organization? Will I be logged into the device automatically ?
No, Desktop SSO and OneLogin Desktop for Mac are separate features. Users will still have to enter their credentials when logging into the device.
How do I change my password?
You change the password for your OneLogin-managed account on the Profile page (User menu > Profile) in the OneLogin portal.
What happens if I try to change my password locally, on the device?
If you try to change your password locally, you will see a message telling you that you can't. You must change your password in OneLogin.
What happens after I change my password in OneLogin?
If your device is connected to the internet, then you simply use your new password when you log in. If your device is offline, you must continue to use your old password until you are connected to the internet.
How does multifactor authentication (MFA) work with OneLogin Desktop?
If you are logging in from a trusted device, the certificate functions as the authentication factor, and neither passwords nor MFA (like OneLogin Protect, Duo Security, RSA) are required to access the OneLogin portal or OneLogin-authenticated apps.
How do I add another OneLogin user to my Mac?
In the current version, you can have one OneLogin Desktop account on your Mac enabled to go straight to the OneLogin portal or SSO-enabled apps without having to authenticate using the browser (assuming that your OneLogin administrator has enabled browser login bypass).
Why I am still required to enter my credentials when I access the OneLogin portal from my device?
The ability to bypass the browser login is only available on Safari and Chrome. It also requires that your administrator assign you to a OneLogin user policy that allows it. If you are included in such a policy, you will still be asked for your credentials the first time you log in to the OneLogin portal, and after you have closed your browser or cleared your cache.
If you meet all of the above criteria, and you still can't access the OneLogin portal or SSO-enabled apps without logging in from the browser, then you may have used the installer to enable OneLogin Desktop for a local account that was running while you were performing the installation. Simply log out of the account and log back in, and you should be able to bypass browser login.
Why do I need to select a certificate or click Log in with OneLogin Desktop when I access the OneLogin portal on a trusted device?
When you access the OneLogin portal page for the first time (or after you have cleared your browser cache), the browser needs to know what certificate to use with OneLogin. You tell Safari which certificate to use by clicking Log in with OneLogin Desktop on the OneLogin login page. Chrome shows you the OneLogin certificate and asks you to confirm it.
OneLogin Desktop certificates use the following naming format:
Can I use OneLogin Desktop with FileVault?
Yes, you can use OneLogin Desktop with FileVault. The installer detects whether you use FileVault and configures it to use your OneLogin credentials.
I restarted my Mac after I ran the installer and now I can't log in using my OneLogin credentials. What do I do?
If you opt to enable OneLogin Desktop for an existing local account when you run the installer, and you restart your Mac immediately after you run the installer, then FileVault will want your old local account password the first time you log in. Assuming that your Mac uses FileVault, you'll see the login screen twice. Enter the old password on the first login screen. FileVault will run for 10-20 seconds, decrypting your disk, and then the operating system will display the login screen again. Enter the OneLogin password. On subsequent logins, the FileVault and OS passwords will both be your OneLogin password, and you'll just see one login screen, just as you expect. Note that if you log in to your Mac immediately after you install OneLogin Desktop, without restarting, the login process will use your OneLogin credentials from the get-go.
When I logged in to my updated Desktop account, a dialog popped up saying "The system was unable to unlock your login keychain."
If you use the OneLogin Desktop installer to update an existing OneLogin Desktop 2.0.x account whose keychain password has gotten out of sync with your OneLogin password, then when you log in to your updated OneLogin Desktop account for the first time, your Mac will be unable to unlock the login keychain. This typically happens if you update a OneLogin Desktop account that you haven't used in a long time. Click Update Keychain Password and enter a previous OneLogin password (how old it is depends on when you last used your OneLogin Desktop account). If you are unable to remember the correct previous OneLogin password, click Create New Keychain to create a new keychain. After your next login, OneLogin will sync the keychain password for the new keychain with your current OneLogin password.
When I tried to install OneLogin Desktop, I saw a message telling me that I could not use my local account because it is enabled for iCloud keychain. What do I do?
The Apple iCloud keychain feature can interfere with OneLogin Desktop. Select another account, tell the installer to create a new account, or quit the installation and disable iCloud keychain for the account that you want to enable for Desktop.
How do I lock users out of their OneLogin Desktop account?
To lock a user out of the OneLogin Desktop account on their Mac, do one of the following:
Suspend or delete the user's account in OneLogin
Change the user's password and deny them the ability to reset their password in OneLogin
Note that if the user is offline when you delete or suspend their account or change their OneLogin account password, the user can access their account until they go online.