macOS Installation and Configuration
This page covers macOS installation and configuration. For Windows, see Windows Installation. For a list of all macOS-specific parameters, see Installation Parameters.
Install via installer
You can use the installer command to deploy the HYPR Passwordless client for macOS without displaying the installation UI. Note that if you're doing this manually in a Terminal window you'll need to use sudo to grant the necessary privileges.
-
Define the installation parameters in a
hypr.jsonconfiguration file located in the same folder as the HYPR Passwordless.pkgfile. (See Common Installation Parameters for details.) -
Run the
installercommand as follows:
installer -pkg /path/to/WorkforceAccess-<version>-Installer.pkg -target /
- The installer will prompt you for a password (if using
sudo) and report on the status of the install. For example (replace<version>with the HYPR version):
ghopper@MacBook-Pro ~ % sudo installer -pkg /Users/gracehopper/Desktop/WorkforceAccess-
[<version>](http://google.com)-Installer.pkg -target /
Password:
installer: Package name is WorkforceAccess-<version>-Installer
installer: Upgrading at base path /
installer: The upgrade was successful.
installer: The install requires restarting now.
ghopper@MacBook-Pro ~ %
- Restart the workstation when finished.
HYPR Application .plist Keys
The installation process stores a number of key values in an application .plist file in the following location:
/Library/HYPR/HyprOneService.plist
These keys are required for normal functioning of the application and usually don't require any changes post-install. However, for troubleshooting purposes HYPR Support may ask you to review or modify the values.
Manual Configuration
-
In a terminal, use
sudoto edit/Library/HYPR/HyprOneService.plistvia an editor (vi, nano, etc.). -
Modify the file according to your configuration, for example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ApplicationId</key>
<string>hyprWindowsLogin</string>
<key>LogLevel</key>
<integer>5</integer>
<key>QrCodeUrl</key>
<string></string>
<key>RelyingPartyPins</key>
<string>g1eupqU9HGvXhObmQWABAKQXRYqKB/IziIWKgnn44IY=,LeM8XnCIy8+Cxm+HKTEOBZr1g3D8odQNHTH+vdu7RWc=,klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=,grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=</string>
<key>RelyingPartyUrl</key>
<string>https://highlandsbank.hypr.com/rp</string>
<key>SupportEmail</key>
<string>support@hypr.com</string>
</dict>
</plist> -
Update the
ApplicationId,RelyingPartyUrl,RelyingPartyPins, andSupportEmailbased on the current server configuration. -
Reboot the computer to apply the changes.
Enterprise Deployment and Configuration
To deploy the HYPR Passwordless client in an enterprise environment, wrap a script around that installation package. The script installs the package and updates the HyprOneService.plist file of all affected users.
This can be achieved with a combination of the defaults and plutil commands.
Example
#! /bin/bash
PLIST_FILE=/Library/HYPR/HyprOneService.plist
# Install the HYPR Employee Access package.
installer -pkg EmployeeAccess-2.1-Installer.pkg
# Customize the configuration.
defaults write $PLIST_FILE ApplicationId "NAME OF YOUR APP IN CONTROL CENTER"
defaults write $PLIST_FILE RelyingPartyPins "<COMMA DELIMITED LIST OF PINS>"
defaults write $PLIST_FILE RelyingPartyUrl "https://CONTROL_CENTER_URL/rp"
defaults write $PLIST_FILE SupportEmail "SUPPORT EMAIL"
# Convert the configuration file to XML.
plutil -convert xml1 $PLIST_FILE
Installation Parameters
The following parameters can be configured for macOS installations. Each parameter can be set via hypr.json file or .plist configuration.
Parameter index
rpUrlappIdpinningHashinstallTokencertTemplatesupportEmailproxyServerproxyBypassqrCodeUrlallowPasswordForPairedUsersallowPasswordUnlockForPairedUserscertPublisherscertAuthorityprotectLogssendLogsPromptsupportURLsecurityKeyPinComplexitysecurityKeyTouchPolicysecurityKeyPinRetriescertificateAuthEnabled
Detailed settings
rpUrl
- plist:
RelyingPartyUrl - JSON:
rpUrl
The URL of your HYPR instance. Must end in /rp, for example https://yourtenant.gethypr.com/rp.
appId
- plist:
ApplicationId - JSON:
appId
The ID of the HYPR Control Center internal application used to configure Workstation functionality: HYPRDefaultWorkstationApplication.
pinningHash
- plist:
RelyingPartyPins - JSON:
pinningHash
A hash of the HYPR server SSL/TLS certificate used for public key pinning. Multiple hashes can be comma‑separated; validation succeeds if any hash matches. See the hypr.json downloaded with the installer for values.
installToken
- plist: N/A
- JSON:
installToken
A token used to establish encrypted communication between the client and HYPR Server. Pre‑set per deployment.
certTemplate
- plist:
CertificateTemplate - JSON:
certTemplate
Active Directory certificate template name for Advanced Installs and mobile enrollment. Default typically hyprmac. See Advanced Certificates.
supportEmail
- plist:
SupportEmail - JSON:
supportEmail
Email address used for support requests from within the client UI.
proxyServer
- plist: N/A
- JSON:
proxyServer
Proxy server in the form proxy[:port], e.g., proxy.myoffice.com:3128. Port defaults to 8080.
proxyBypass
- plist: N/A
- JSON:
proxyBypass
Comma‑separated hostnames to exclude from proxy. Wildcards supported (e.g., .mycompany.com, 10.20.).
qrCodeUrl
- plist:
QrCodeUrl - JSON:
qrCodeUrl
URL to handle incoming QR code requests. Typically your tenant URL.
allowPasswordForPairedUsers
- plist:
AllowPasswordForPairedUsers - JSON:
allowPasswordForPairedUsers
Disables the password prompt at login for users who have previously paired using HYPR. Set to false to enforce passwordless login. Enabled (true) by default. See Passwordless Enforcement.
allowPasswordUnlockForPairedUsers
- plist:
AllowPasswordUnlockForPairedUsers - JSON:
allowPasswordUnlockForPairedUsers
Enables/Disables the password prompt at unlock for users who have previously paired using HYPR. Set to false to enforce passwordless unlock. Enabled (true) by default. See Passwordless Enforcement.
certPublishers
- plist:
CertificatePublishers - JSON:
certPublishers
Comma‑separated list of DNS names for servers that can generate certificates on behalf of the user. If omitted, the client browses the AD forest (may take longer in large environments).
certAuthority
- plist:
CertificateAuthority - JSON:
certAuthority
Name of the Active Directory publisher. If omitted, the client browses the AD forest (may take longer in large environments).
protectLogs
- plist:
ProtectLogs - JSON:
protectLogs
Controls access to HYPR logs. See Setting Log Access on macOS.
sendLogsPrompt
- plist:
SendLogsPrompt - JSON:
sendLogsPrompt
Overrides the default Contact Support label. See Contact Support.
supportURL
- plist:
SupportURL - JSON:
supportURL
Overrides the Need Assistance? URL. Opens in the default browser. See Contact Support.
securityKeyPinComplexity
- plist:
SecurityKeyPinComplexity - JSON:
securityKeyPinComplexity
PIN complexity: "Basic" or "Strict". "Basic" prevents simple/repeating sequences (e.g., "123456", "111111", "121212", "123987"). See Using a Security Key.
securityKeyTouchPolicy
- plist:
SecurityKeyTouchPolicy - JSON:
securityKeyTouchPolicy
YubiKey touch policy during pairing. If set to 3 ("Once"), a touch is required after PIN entry. Default is 0 ("Never"). See Yubico documentation.
securityKeyPinRetries
- plist:
SecurityKeyPinRetries - JSON:
securityKeyPinRetries
Number of allowed PIN/PUK retries during pairing if a PIN is set. If empty, zero, or negative, the device default applies. Max value is 255.
certificateAuthEnabled
- plist:
CertificateAuthEnabled - JSON:
certificateAuthEnabled
Enables or disables certificate‑based authentication.
FileVault Configuration
Apple FileVault doesn't support the smart card authentication protocol, and it can only be unlocked with a user password. Still, there's an option to require HYPR authentication after the FileVault unlock to ensure that users are always using an MFA solution.
Disable the automatic login option of FileVault by executing the following command:
sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES
If this is disabled, users will be required to authenticate with HYPR Mobile App after entering the FileVault password.
Passwordless Enforcement for Unlock and Login
See the article about Passwordless Enforcement for details on how to implement this feature in your environment.