MAC Offline login

[Daniele Carlini]

Hi,

i have a problem with Offline login on mac.

I setup the CP on mac, the meccanism CPOffline is present in security "authorizationdb read system.login.console" :

<string>CP:CPStart,privileged</string>
<string>CP:CPConfiguration,privileged</string>
<string>CP:CPAccess,privileged</string>
<string>CP:CPOffline,privileged</string>
<string>CP:CPAuthentication,privileged</string>
<string>CP:CPSave,privileged</string>

<string>CP:CPDone,privileged</string> 

log show --start '2025-11-17 14:33:00' | egrep  -w 'mechanism|CP:|OpenOTP|RCDevs|FIDO'

2025-11-17 14:33:51.491856+0100 0x6676     Default     0x0                  527    0    authd: [com.apple.Authorization:authd] engine 57: running mechanism builtin:login-begin (3 of 23)
2025-11-17 14:33:51.549828+0100 0x6676     Default     0x0                  527    0    authd: [com.apple.Authorization:authd] engine 57: running mechanism builtin:reset-password,privileged (4 of 23)
2025-11-17 14:33:51.634166+0100 0x6676     Default     0x0                  527    0    authd: [com.apple.Authorization:authd] engine 57: running mechanism loginwindow:FDESupport,privileged (5 of 23)
2025-11-17 14:33:51.635532+0100 0x6676     Default     0x0                  527    0    authd: [com.apple.Authorization:authd] engine 57: running mechanism builtin:forward-login,privileged (6 of 23)
2025-11-17 14:33:51.636449+0100 0x6676     Default     0x0                  527    0    authd: [com.apple.Authorization:authd] engine 57: running mechanism builtin:auto-login,privileged (7 of 23)
2025-11-17 14:33:51.637578+0100 0x6676     Default     0x0                  527    0    authd: [com.apple.Authorization:authd] engine 57: running mechanism builtin:authenticate,privileged (8 of 23)
2025-11-17 14:33:51.964521+0100 0x6676     Default     0x0                  527    0    authd: [com.apple.Authorization:authd] engine 57: running mechanism PKINITMechanism:auth,privileged (9 of 23)
2025-11-17 14:33:52.127016+0100 0x6676     Default     0x0                  527    0    authd: [com.apple.Authorization:authd] engine 57: running mechanism CP:CPStart,privileged (10 of 23)
2025-11-17 14:33:52.127418+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPStart Trying to upload com.rcdevs.cp_id
2025-11-17 14:33:52.127521+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPStart com.rcdevs.cp_id uploaded
2025-11-17 14:33:52.155783+0100 0x6676     Default     0x0                  527    0    authd: [com.apple.Authorization:authd] engine 57: running mechanism CP:CPConfiguration,privileged (11 of 23)
2025-11-17 14:33:52.156069+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPConfiguration: Trying to download com.rcdevs.cp_id
2025-11-17 14:33:52.156140+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPConfiguration: com.rcdevs.cp_id downloaded
2025-11-17 14:33:52.157743+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:Init mechanism: Loading configuration: <private>
2025-11-17 14:33:52.157801+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPConfiguration Trying to upload com.rcdevs.openotp.config
2025-11-17 14:33:52.157835+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPConfiguration com.rcdevs.openotp.config uploaded
2025-11-17 14:33:52.157842+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPConfiguration Trying to upload com.rcdevs.cp_id
2025-11-17 14:33:52.157856+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPConfiguration com.rcdevs.cp_id uploaded
2025-11-17 14:33:52.184896+0100 0x6676     Default     0x0                  527    0    authd: [com.apple.Authorization:authd] engine 57: running mechanism CP:CPAccess,privileged (12 of 23)
2025-11-17 14:33:52.185198+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPAccess: Trying to download com.rcdevs.cp_id
2025-11-17 14:33:52.185257+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPAccess: com.rcdevs.cp_id downloaded
2025-11-17 14:33:52.211140+0100 0x6676     Default     0x0                  527    0    authd: [com.apple.Authorization:authd] engine 57: running mechanism CP:CPOffline,privileged (13 of 23)
2025-11-17 14:33:52.211442+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPOffline: Trying to download com.rcdevs.cp_id
2025-11-17 14:33:52.211500+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPOffline: com.rcdevs.cp_id downloaded
2025-11-17 14:33:52.212393+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPOffline Trying to upload com.rcdevs.offline_data
2025-11-17 14:33:52.212413+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPOffline com.rcdevs.offline_data uploaded
2025-11-17 14:33:52.238814+0100 0x6676     Default     0x0                  527    0    authd: [com.apple.Authorization:authd] engine 57: running mechanism CP:CPAuthentication,privileged (14 of 23)
2025-11-17 14:33:52.239113+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPAuthentication: Trying to download com.rcdevs.cp_id
2025-11-17 14:33:52.239196+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPAuthentication: com.rcdevs.cp_id downloaded
2025-11-17 14:33:52.239219+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPAuthentication: Trying to download com.rcdevs.openotp.config
2025-11-17 14:33:52.239239+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPAuthentication: com.rcdevs.openotp.config downloaded
2025-11-17 14:33:52.243950+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPAuthentication: Trying to download com.rcdevs.offline_data
2025-11-17 14:33:52.243966+0100 0x73de     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: CP:CPAuthentication: com.rcdevs.offline_data downloaded
2025-11-17 14:33:52.248386+0100 0x73ea     Default     0x0                  2375   0    authorizationhosthelper.arm64: (CP) RCDevs: OpenOTP: <private>

My mac have Tahoe 26.1 joined in AD.

The online login work well !

What can i check ?

Thanks

Daniele

[Yoann Traut (RCDevs)]

Hello,

• Was offline mode enabled during the CP setup?
  https://docs.rcdevs.com/pictures/mfa/macos/5.webp

• Is offline mode enabled in the OpenOTP Server configuration via the “Windows Offline Login” setting?

• Can you log in offline with the AD account without our plugin when the laptop is disconnected?

• Do the authentication methods registered on the account support offline mode? Only the OpenOTP Token mobile application (with push mechanisms enabled) and FIDO keys support offline login.

Regards

[Daniele Carlini]

Hi Yoann,

Yes i have enable the offline mode during the CP setup

in the first attempt, i don't have enable the windows offline login in the policy, but now is activated with default value ( 30 )

yes, without the CP i login in offline mode with cached AD password

i use openotp app on my phone.

this is the cp.config.plist : 

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>clientid</key>

<string>MAC Policy</string>

<key>domain</key>

<string>MYDOMAIN</string>

<key>apikey</key>

<string>APIKEYSTRING</string>

<key>serverpolicy</key>

<string>OPENOTP_ORDERED</string>

<key>statuscheckinterval</key>

<integer>60</integer>

<key>statuscheckmethod</key>

<string>OPENOTP_SOCKET</string>

<key>urls</key>

<array>

<string>https://SERVER1:8443/openotp/</string>

<string>https://SERVER2:8443/openotp/</string>

</array>

</dict>

</plist>

this is cp.offlinedata.plist file, the file is compiled : 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>MYDOMAIN</key>
<dict>
<key>MYUSER</key>
<dict>
<key>context</key>
<string>ESMnHBE4I--STRING--3KAYcMQo</string>
</dict>
</dict>
</dict>
</plist>

Daniele

[Yoann Traut (RCDevs)]

Hello,

Thank you for your feedback.
You mentioned that you are using the OpenOTP Token app on your phone, but does the registered token have Push Login capabilities?
Could you provide the full log stack for an online login performed with the OpenOTP server from the Mac? WebADM GUI > LogFile > WebADM Sever Log file.

Regards

[Daniele Carlini]

the primary token have the push login : 

this is the log : 

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] New openotpNormalLogin SOAP request

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] > Username: d.carlini

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] > Domain: DOMAIN

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] > Client ID: MAC Policy

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] > Context: ESMnHBE4ITcxBSAyCCsDFxc5DQQMBAoiLjw3KAYcMQo

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] > Options: -ldap,offline,novoice

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] Enforcing client policy: MAC Policy (matched client ID)

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] Registered openotpNormalLogin request

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] Resolved LDAP user: CN=Daniele Carlini,CN=Users,DC=DOMAIN,DC=local (cached)

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] Resolved LDAP groups: AD GROUPS

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] Started transaction lock for user

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] Found user language: IT

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] Found 1 user emails: MYEMAIL

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] Found 53 user settings: LoginMode=LDAPMFA,OTPType=TOKEN,OTPFallback=TOKEN,PushLogin=Yes,ChallengeMode=Yes,ChallengeTimeout=90,ChallengeRetry=Yes,OTPLength=6,OfflineExpire=30,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,U2FPINMode=Preferred,SMSType=Normal,SMSMode=Ondemand,ReplyData=[1 Items],MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID,RecordEvents=Yes,SessionBadgeOut=Yes

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] Found 5 user data: TokenType,TokenKey,TokenState,TokenID,TokenSerial

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] Found 1 registered OTP token (TOTP)

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] User has no FIDO device registered

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] Requested login factors: OTP

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] Authentication challenge required

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] Sent push notification for token #1 (session EiPXZjcegG9Ddpr5)

[2025-11-18 10:55:12] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] Waiting 28 seconds for mobile response

[2025-11-18 10:55:19] [WAPROXY IP:52918] [OpenOTP:YS9XNMWO] Received mobile login response from IP OF MY PHONE

[2025-11-18 10:55:19] [WAPROXY IP:52918] [OpenOTP:YS9XNMWO] > Session: EiPXZjcegG9Ddpr5

[2025-11-18 10:55:19] [WAPROXY IP:52918] [OpenOTP:YS9XNMWO] > Password: 16 Bytes

[2025-11-18 10:55:19] [WAPROXY IP:52918] [OpenOTP:YS9XNMWO] Found authentication session started 2025-11-18 10:55:12

[2025-11-18 10:55:19] [WAPROXY IP:52918] [OpenOTP:YS9XNMWO] PUSH password Ok (token #1)

[2025-11-18 10:55:19] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] No registered FIDO device found for offline mode

[2025-11-18 10:55:19] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] Updated user data

[2025-11-18 10:55:19] [WEBADM IP:49318] [OpenOTP:YS9XNMWO] Sent login success response

[Yoann Traut (RCDevs)]

Hello,

Everything looks correct so far.
In the CPInstaller folder, after authentication, please verify that the cp.offlinedata.plist file is present and share its content.

Regards

[Daniele Carlini]

do you mean this /Library/Application Support/RCDevs Directory ?

there are this files : 

-rw-------   1 root  admin  224 17 nov 12:35 cp.accesslist.plist
-rw-------@  1 root  admin  765 17 nov 14:28 cp.config.plist
-rw-------   1 root  admin  354 18 nov 10:55 cp.offlinedata.plist

and this is content of cp.offlinedata.plist : 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>

<key>teknonet</key>
<dict>
<key>d.carlini</key>
<dict>
<key>context</key>
<string>ESMnHBE4ITcxBSAyCCsDFxc5DQQMBAoiLjw3KAYcMQo</string>
</dict>
</dict>
</dict>
</plist>

Daniele

[Daniele Carlini]

Permission problem on files ?

in the example of the guide the permission are : 

root@admins-Mac-mini Resources # cd /Library/Application\ Support/RCDevs/
root@admins-Mac-mini RCDevs # ls -al
-rw-------   1 admin  staff  1991 Dec  5 10:41 ca.crt
-rw-r--r--   1 admin  staff   215 Dec  5 10:41 cp.accesslist.plist
-rw-r--r--   1 admin  staff   664 Dec  5 10:41 cp.config.plist
-rw-r--r--   1 admin  staff   181 Dec  5 10:41 cp.offlinedata.plist

but in my mac is different, and the cp.config.plist the @ xattr are : com.apple.provenance

Daniele

[Yoann Traut (RCDevs)]

Hello,

Indeed, the file permissions could be causing the issue. In our documentation, admin is the account used for offline login, and staff is its group.

I also noticed that the ca.crt file is missing from your folder. 

Could you please provide us with the output of your cp.config.plist?

Regards,

[Daniele Carlini]

i try to change in d.carlini:staff and in 644 the permission : 

-rw-r--r--   1 d.carlini  staff  1910 21 nov 09:29 ca.crt
-rw-r--r--   1 d.carlini  staff   821 21 nov 11:44 cp.config.plist
-rw-r--r--   1 d.carlini  staff   224 21 nov 11:50 cp.accesslist.plist
-rw-r--r--   1 d.carlini     staff   354 21 nov 12:22 cp.offlinedata.plist

every reboot the cp.offlinedata.plist change in root:admin

-rw-r--r--   1 d.carlini  staff  1910 21 nov 09:29 ca.crt
-rw-r--r--   1 d.carlini  staff   821 21 nov 11:44 cp.config.plist
-rw-r--r--   1 d.carlini  staff   224 21 nov 11:50 cp.accesslist.plist
-rw-r--r--   1 root       admin   354 21 nov 12:22 cp.offlinedata.plist
drwxr-xr-x   6 root       admin   192 21 nov 12:22 .

 and i reconfigure CP with ca.crt because I understood that it was optional ... but nothing...

This is my cp.config.plist : 

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>apikey</key>

<string>API STRING</string>

<key>cacertificate</key>

<string>ca.crt</string>

<key>clientid</key>

<string>MAC Policy</string>

<key>domain</key>

<string>DOMAIN</string>

<key>serverpolicy</key>

<string>OPENOTP_ORDERED</string>

<key>soaptimeout</key>

<integer>30</integer>

<key>statuscheckinterval</key>

<integer>60</integer>

<key>statuscheckmethod</key>

<string>OPENOTP_STATUS</string>

<key>urls</key>

<array>

<string>https://URL1:8443/openotp/</string>

<string>https://URL2:8443/openotp/</string>

</array>

</dict>

</plist>

Daniele

[Yoann Traut (RCDevs)]

Hello, 

Can you adapt and execute the following command from your MAC to ensure that the offline state (required for offline login) is returned successfully by the backend? 

curl -k "https://192.168.4.160:8443/openotp/json/openotpNormalLogin/?username=d.carlini%20&ldapPassword=&options=-ldap,offline&client=MAC%20Policy"

ldapPassword parameter do not need any value here. 

On my side it returns : 

{"code":1,"error":null,"message":"Authentication success","offlineState":"AQZpS5vbICG0SmxQb5Xo7wxPa+mc14xngR8feZiB+U0WbgUuOeMiE9jkeFfMxw=="}%             

Regards

[Daniele Carlini]

I disabled the API key request in the OPENOTP configuration and executed the command, this is the answer : 

{"code":1,"error":null,"message":"Authentication success","offlineState":"AQZpT5WBqLSsZoYcfV6vnWBme3o1mynGgWBrgkIZCx5XE957Dh8ZA2R0RmipWw=="}%

Daniele

[Yoann Traut (RCDevs)]

Hello,

Thank you for the output.
The backend is correctly returning the offline state. We suspect that the issue is just due the file permissions on cp.offlinedata.plist
Permissions are not supposed to be changed so we don't really understand why this is happening on your side.

Can you try running the following command early during boot or shortly after logging in to gives the exact process path rewriting the file :

sudo fs_usage -w -f filesys | grep cp.offlinedata.plist

Additionally, enable the audit system to capture logs related to this file with:

sudo auditctl -w /Library/Application\ Support/RCDevs/cp.offlinedata.plist -p wa

Then execute the following command to filter the logs:

sudo praudit /var/audit/$(ls -1t /var/audit | head -n 1) \
    | grep "cp.offlinedata.plist" \
    > /tmp/offline_plist_audit.txt

Provide us the /tmp/offline_plist_audit.txt

Regards