000039252 - Operating system upgrade causes issues with RSA MFA Agent for macOS

Document created by RSA Customer Support Employee on Aug 24, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039252
Applies ToRSA Product Set: SecurID Access
RSA Product/Service Type: MFA Agent
RSA Version/Condition: 1.0
Platform: macOS
IssueThe RSA MFA agent unlock option no longer works and/or the MFA Agent for macOS logs are deleted after upgrading macOS Catalina.
CauseSee the following macOS defects:
  • FB8294261: After macOS update, custom system.login.screensaver is getting reverted to macOS default.
  • FB8293900: After macOS update, custom logs created in /Library/Logs/ are getting deleted.

A macOS administrative user must perform the steps below. See 000039048 - macOS administrator locked out due to RSA MFA Agent for macOS misconfiguration if administrator cannot log in to the machine.


Restore MFA Unlock

  1. Backup existing system.login.screensaver:

bash$ security authorizationdb read system.login.screensaver > system.login.screensaver.Original_Backup.plist

  1. Create a custom plist file named screensaverMechanism.plist.
  2. Include the following data:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

This custom rule is used to enable RSA MFA unlock.
This rule is added to package under resources.
Copyright (c) 2020 RSA. All rights reserved.
<plist version="1.0">
<string>Verify that the requesting process is running as the session owner.</string>

  1. Write the custom screensaver data to system.login.screensaver:

bash$ security authorizationdb write system.login.screensaver < screensaverMechanism.plist


Agent Logs

  1. Before starting the macOS update, take a backup of the agent log files from /Library/Logs/RSA MFA Agent.
  2. After the macOS update:
    1. Create a directory that is named /Library/Logs/RSA MFA Agent with file permissions drwxrwxrwt and create an online log file:

bash$ chmod 1777 "/Library/Logs/RSA MFA Agent"
bash$ curDate=`date '+%Y-%m-%d %H-%M-%S'`
bash$ onlineLogFile="OnlineAuthentication $curDate-001.log"
bash$ touch "$onlineLogFile"
bash$ chown "_securityagent:wheel" "$onlineLogFile"