000039048 - macOS administrator locked out due to RSA MFA Agent for macOS misconfiguration

Document created by RSA Customer Support Employee on Jul 7, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039048
Applies ToRSA Product Set: SecurID Access
RSA Product/Service Type: MFA Agent for macOS
RSA Version/Condition: 1.x
IssueAn administrator enabled the RSA MFA Agent for macOS to require additional authentication during macOS authentication. The administrator is no longer able to log in to the macOS machine.
CauseThe administrator is not synced to the Cloud Authentication Service. The RSA MFA Agent for macOS option to Disable Cloud Authentication Service Authentication for Unknown User configuration property has not been enabled.
WorkaroundThere are three options to allow the administrator to regain access to the macOS machine. Choose one of the following:
  1. SSH to the macOS machine using an administrator account and edit the agent settings at /Library/Preferences/com.rsa.mfaconfig.plist. Options include setting disableCASforUnknownUser=true or enableCAS=false.
  2. SSH to the macOS machine using an administrator account and uninstall the RSA MFA Agent for macOS by running the following command:

sudo /Library/Application Support/RSA MFA Agent/UninstallRSAmacOSAgent.sh

  1. Sync the administrator (using sAMAccountName or equivalent) from your identity source to the Cloud Authentication Service and have the admin user register a mobile device. This will allow the administrator to meet the additional authentication requirement enforced by the RSA MFA Agent for macOS.