Users were not challenged by the RSA MFA Agent after a few updates to the macOS software.
When the macOS was updated, the OS automatically removed the MFA Agent plugin entry from the system.login.console and/or system.login.screensaver. Due to this, the users were not challenged by the MFA authentication at login and/or unlock.
macOS also removed 3rd party plugins of MFA vendors if there were changes that could affect the relevant authorization databases. For example, after the upgrade of macOS Monterey to version 12.3 or higher, RSA MFA Agent plugin entry was removed from 'system.login.console'.
Pre-requisites (To be executed by admins):
- Copy RestoreRSAPlugin.sh to the /Library/Application Support/RSA MFA Agent/ folder.
Command:
sudo cp RestoreRSAPlugin.sh /Library/Application\ Support/RSA\ MFA\ Agent/
- Make sure the file permission is set to 751:
Command:
sudo chmod 751 /Library/Application\ Support/RSA\ MFA\ Agent/RestoreRSAPlugin.sh
About the script:
This script verifies and restores the RSA MFA Agent plugin. If the plugin is removed during the macOS updates, then this script can be executed either with no arguments or “EnableMonitor” or “DisableMonitor” arguments.
- No arguments:
Executing the script without arguments verifies and restores the RSA MFA Agent plugin on the existing macOS version (will not monitor for RSA MFA Agent plugin removal for future macOS updates). After executing this command, restart the machine to enable the plugin to function at the console and screensaver.
Command:
sudo /Library/Application\ Support/RSA\ MFA\ Agent/RestoreRSAPlugin.sh
Note: This option does not monitor for the RSA MFA Agent plugin.
- EnableMonitor:
Executing the script with “EnableMonitor” as an argument adds the daemon service to monitor for RSA MFA Agent plugin after the macOS restarts. This adds the RSA MFA Agent plugin as per the Agent configuration and performs machine restart to enable the plugin to function. Also, if the plugin is already removed, then this option restores it when the machine is restarted.
Command:
sudo /Library/Application\ Support/RSA\ MFA\ Agent/RestoreRSAPlugin.sh EnableMonitor
- DisableMonitor:
Executing the script with “DisableMonitor” removes daemon service to stop monitoring for the RSA MFA Agent plugin.
Command:
sudo /Library/Application\ Support/RSA\ MFA\ Agent/RestoreRSAPlugin.sh DisableMonitor
Note:
- macOS updates must be verified on a test machine before users upgrade on their systems. During the verification process, if the RSA MFA Agent plugin is removed, admins have to enable the plugin to make sure that the latest macOS updates do not impact the agent login. Based on the infra management, admins can utilize different modes provided by RestoreRSAPlugin.sh script, such as to enable the RSA MFA Agent plugin onetime or add a daemon service to monitor the RSA MFA Agent plugin for future macOS updates.
- It is strongly recommended that the macOS update is validated on a test machine to verify if the plugin is being removed before it is pushed to end-user computers. If the plugin is removed, then enable it with the script and verify if the agent functions accurately.
- Additionally, it was noticed that "com.apple.quarantine" attribute was added to executable files if they were downloaded from the browser. Due to this, the files were not executed on certain macOS machines. To check and remove this attribute, run the following commands before deploying in the environment:
- ls -l@ RestoreRSAPlugin.sh (To check the “com.apple.quarantine” attribute).
- sudo xattr -d com.apple.quarantine RestoreRSAPlugin.sh (To remove the attribute).
