A macOS administrative user must perform the steps below. See 000039048 - macOS administrator locked out due to RSA MFA Agent for macOS misconfiguration if administrator cannot log in to the machine.
Restore MFA Unlock
- Backup existing system.login.screensaver:
bash$ security authorizationdb read system.login.screensaver > system.login.screensaver.Original_Backup.plist
- Create a custom plist file named screensaverMechanism.plist.
- Include the following data:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<!--
ScreensaverMechanism.plist
RSASIDAuthPlugin
This custom rule is used to enable RSA MFA unlock.
This rule is added to package under resources.
Copyright (c) 2020 RSA. All rights reserved.
-->
<plist version="1.0">
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Verify that the requesting process is running as the session owner.</string>
<key>rule</key>
<string>authenticate-session-owner-via-rsa</string>
<key>timeout</key>
<integer>12000</integer>
</dict>
</plist>
- Write the custom screensaver data to system.login.screensaver:
bash$ security authorizationdb write system.login.screensaver < screensaverMechanism.plist
Agent Logs
- Before starting the macOS update, take a backup of the agent log files from /Library/Logs/RSA MFA Agent.
- After the macOS update:
- Create a directory that is named /Library/Logs/RSA MFA Agent with file permissions drwxrwxrwt and create an online log file:
bash$ chmod 1777 "/Library/Logs/RSA MFA Agent"
bash$ curDate=`date '+%Y-%m-%d %H-%M-%S'`
bash$ onlineLogFile="OnlineAuthentication $curDate-001.log"
bash$ touch "$onlineLogFile"
bash$ chown "_securityagent:wheel" "$onlineLogFile"
| 
on Aug 24, 2020