Skip to main content

Supported Platforms, Authenticator Versions, and Deployment Prerequisites

  • Updated

Last updated: November, 2025

 

This article lists the operating systems and versions supported by the Beyond Identity Authenticator, minimum system requirements, and deployment prerequisites that IT administrators should review before rollout.

 

Table of Contents

 

Quick Support Matrix

PLATFORM SUPPORTED OS VERSIONS AUTHENTICATOR VERSION SUPPORT NOTES
Windows Windows 10 (build 18363 and later), Windows 11 2.98.1 and later 64-bit only; .NET framework embedded in installer; review deployment prerequisites.
macOS macOS 14, 15, 26 2.98.1 and later Review deployment prerequisites.
iOS / iPadOS iOS/iPadOS 26 2.98.1 and later iPhone and iPad supported.
Android Android 12, 13 , 14, 15, 16 2.98.2 and later
Linux Official: Debian/Ubuntu (v24.04, 22.04, 20.04);
Unofficial: RPM (RHEL/CentOS) 		See Linux install guide; refer back here for versions.
End of Life Policy: Beyond Identity does not currently publish formal end-of-life (EOL) dates for operating systems or Authenticator versions. When a platform or version is no longer supported, it will be removed from this page. Administrators should ensure devices are kept on the supported OS versions and Authenticator releases listed above.

 

 

 

Platform Details and Requirements

Windows

OS version Windows 10 (build 18363 and later), Windows 11
Architecture 64-bit and ARM64
.NET Embedded in the installer
Processor Capable of running supported OS versions
Other Review deployment prerequisites and allow-list BI processes. Windows requires TPM 1.2 for basic authentication, and TPM 2.0 for Windows Desktop Login.

macOS

OS version macOS 14, 15, 26
Other Review deployment prerequisites and allow-list BI processes.

iOS / iPadOS

OS version iOS/iPadOS 26

Android

OS version Android 12 (API 32), 13 (API 33), 14 (API 34)

Linux

Distributions Official: Debian/Ubuntu
Unofficial: RPM (RHEL/CentOS)
Notes Refer to installer article for steps and caveats; supported versions listed on this page.

 

Authenticator Version Support

Minimum supported Authenticator versions:
- Windows, macOS / iOS /: 2.98.1 and later
- Android: 2.98.2 and later

Tip: For latest hot-fixes and feature updates, see the Authenticator release notes.

 

Deployment Prerequisites

Before deploying the Beyond Identity Authenticator at scale, administrators must ensure that endpoint security tools, firewalls, and device policies allow the app to run without interference.

Allow-Listed Processes (Windows and macOS)

The following processes should be allow-listed in endpoint detection and antivirus tools:

  • BeyondIdentity.exe (Windows)
  • BeyondIdentityViewHelper.exe (Windows)
  • BIService.exe (Windows)
  • Beyond Identity.app (macOS)
  • com.beyondidentity.* background services (macOS)

Code Signing and Team Identifiers

To validate software integrity, ensure these identifiers are recognized:

  • macOS Team ID: BZA6SZ8XVQ
  • Windows Publisher: Beyond Identity, Inc.

Network Requirements

The Authenticator must be able to reach Beyond Identity’s cloud endpoints. Ensure the following domains and subdomains are allow-listed in firewalls and proxies:

  • *.beyondidentity.com
  • *.byndid.com

Security Tool Compatibility

Some endpoint security agents may require exclusions for Beyond Identity processes to prevent interference with authentication flows. Consult your EDR/AV documentation for configuring exceptions.

The Beyond Identity Platform Authenticator (PA) can be deployed using common MDM solutions such as Microsoft Intune, Jamf, and Kandji. Because the PA performs critical security and enrollment functions, the timing and method of deployment directly affect user onboarding and update behavior.

This section outlines the supported deployment methods and important considerations for each MDM platform.

 

General Requirements

Regardless of MDM platform:

  • The Platform Authenticator must be installed after a local user account is created.
    Installing the PA prior to user creation (for example, during device pre-provisioning via Win32) prevents the application from updating correctly.

  • The Platform Authenticator must be deployed as a standard application package, not a pre-login or pre-provisioned package.

  • Automatic updates require a supported installation path.
    Unsupported pre-provisioned Win32 installations will not receive updates without manual IT intervention.

 

Microsoft Intune

Recommended: Line of Business (LOB) Deployment

The preferred method for Windows deployment is Intune Line of Business (LOB) installation using the native .msi package.

Benefits

  • Installs after user account creation

  • Preserves automatic update functionality

  • Provides the most consistent experience for first-time passkey enrollment

Considerations

  • Installation timing can vary based on device enrollment, policy load, and network conditions.
    Admins should be aware that the PA may not be available immediately when the user logs in for the first time.

Not Recommended: Win32 (Intune WIN) Deployment

Intune Win32 packaging is not supported for pre-provisioning and is not recommended for managed Windows deployments.

Limitations

  • Win32 deployments occur before the local user account is created

  • This breaks the PA’s automatic update mechanism

  • Requires manual updates by IT for every release

  • The PA package (~400 MB) often exceeds customer SLAs for pre-provisioned app size

  • Pre-provisioning may lead to passkey enrollment failures, as the app may not be ready when needed

Outcome
Customers using Win32 for pre-provisioned deployments should expect degraded functionality and inconsistent onboarding flows.

 

Jamf (macOS)

Jamf deployment using the Beyond Identity macOS package is supported, provided installation occurs after the user account is created on the device.

Benefits

  • Supports normal update behavior

  • Fully compatible with macOS MDM workflows

Considerations

  • As with Intune, installation timing can vary depending on policy and network load

  • If the PA installs too late in the onboarding process, the user may attempt passkey creation before the application is available


Kandji (macOS)

Kandji deployment is also supported when using the standard macOS package and allowing installation to occur post-login.

Benefits

  • Normal update behavior is preserved

  • Integration fits within typical Kandji Blueprint workflows

Considerations

  • Device variability during enrollment may cause the PA to install later than expected

  • Admins should ensure initial passkey enrollment happens only after the PA is confirmed installed

 

iOS and Android

On iOS and Android, the Platform Authenticator is delivered through the App Store / Play Store.
MDM systems may enforce installation, but:

  • Installation timing does not impact passkey creation

  • Updates are managed through the associated app store

  • No special deployment pathways or constraints apply beyond standard mobile MDM policy

 

Summary of Recommendations

Platform Supported? Recommended Method Not Recommended Key Notes
Windows (Intune) Yes LOB .msi package Win32 .intunewin (pre-provisioned) Pre-provisioning breaks updates; package too large
macOS (Jamf) Yes Standard package post-login Pre-login / pre-user install Install must occur after user account creation
macOS (Kandji) Yes Standard package post-login Pre-login workflows Ensure PA is installed before passkey enrollment
iOS/Android Yes App Store / Play Store N/A No special constraints

 

Related Resources

 

Changelog (for this article)

  • Aug 29, 2025: Consolidated system requirements, supported OS versions, Authenticator version support, and deployment prerequisites into one unified article.
  • Oct 7, 2025: Updated Authenticator version numbers for all supported platforms.
  • Oct 22, 2025: Updated macOS and iPad/iOS versions supported. Also, updated the macOS Team ID. 
  • Nov 19, 2025: Added information on deployments via Intune, Jamf, and Kandji. 

 

 

Related articles

Comments

0 comments

Article is closed for comments.