Article Number
000039048
Applies To
RSA Product Set: SecurID Access
RSA Product/Service Type: MFA Agent for macOS
RSA Version/Condition: 1.x
Issue
An administrator enabled the RSA MFA Agent for macOS to require additional authentication during macOS authentication. The administrator is no longer able to log in to the macOS machine.
Cause
The administrator is not synced to the Cloud Authentication Service. The RSA MFA Agent for macOS option to Disable Cloud Authentication Service Authentication for Unknown User configuration property has not been enabled.
Workaround
There are three options to allow the administrator to regain access to the macOS machine. Choose one of the following:
- SSH to the macOS machine using an administrator account and edit the agent settings at /Library/Preferences/com.rsa.mfaconfig.plist. Options include setting disableCASforUnknownUser=true or enableCAS=false.
- SSH to the macOS machine using an administrator account and uninstall the RSA MFA Agent for macOS by running the following command:
sudo /Library/Application Support/RSA MFA Agent/UninstallRSAmacOSAgent.sh
- Sync the administrator (using sAMAccountName or equivalent) from your identity source to the Cloud Authentication Service and have the admin user register a mobile device. This will allow the administrator to meet the additional authentication requirement enforced by the RSA MFA Agent for macOS.
