A macOS administrative user must perform the steps below. See 000039048 - macOS administrator locked out due to RSA MFA Agent for macOS misconfiguration if administrator cannot log in to the machine.
Restore MFA Unlock
- Backup existing system.login.screensaver:
bash$ security authorizationdb read system.login.screensaver > system.login.screensaver.Original_Backup.plist
- Create a custom plist file named screensaverMechanism.plist.
- Include the following data:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <!-- ScreensaverMechanism.plist RSASIDAuthPlugin This custom rule is used to enable RSA MFA unlock. This rule is added to package under resources. Copyright (c) 2020 RSA. All rights reserved. --> <plist version="1.0"> <dict> <key>class</key> <string>rule</string> <key>comment</key> <string>Verify that the requesting process is running as the session owner.</string> <key>rule</key> <string>authenticate-session-owner-via-rsa</string> <key>timeout</key> <integer>12000</integer> </dict> </plist>
- Write the custom screensaver data to system.login.screensaver:
bash$ security authorizationdb write system.login.screensaver < screensaverMechanism.plist
Agent Logs
- Before starting the macOS update, take a backup of the agent log files from /Library/Logs/RSA MFA Agent.
- After the macOS update:
- Create a directory that is named /Library/Logs/RSA MFA Agent with file permissions drwxrwxrwt and create an online log file:
bash$ chmod 1777 "/Library/Logs/RSA MFA Agent" bash$ curDate=`date '+%Y-%m-%d %H-%M-%S'` bash$ onlineLogFile="OnlineAuthentication $curDate-001.log" bash$ touch "$onlineLogFile" bash$ chown "_securityagent:wheel" "$onlineLogFile"
|