Contents
Frequently Asked Questions about Duo Desktop and device health features.
General
Which browsers support Duo Desktop during authentication?
We recommend Google Chrome for the most seamless user experience. Edge Chromium, Internet Explorer 11, Safari, and Opera are also known to work without issues.
Which Linux distributions and versions does Duo Desktop support?
Yes, Duo Desktop for Linux supports these DEB/RPM-based Linux distributions
- Debian: 11, 12
- Ubuntu: 24.04 LTS, 23.04, 22.04 LTS, 20.04 LTS
- CentOS Stream: 8, 9
- Red Hat Enterprise Linux: 8, 9
Which macOS versions does Duo Desktop support?
Duo Desktop supports physical and virtual machines running macOS 11 and newer with both Intel and Apple silicon chipsets (M1/M2/M3). If using an Apple silicon device, the application runs natively and won’t require that the end user install Rosetta 2. It is not necessary to reinstall Duo Desktop after a macOS update.
Beta macOS versions are not supported.
Which Windows versions does Duo Desktop support?
Duo Desktop supports these Windows versions on physical and virtual machines:
- Windows 10 version 1803 or later
- Windows 11
- Windows Server 2016 and later
Duo Desktop is compatible with Windows Enterprise, Pro, and Home client editions (and the "Education" variants of these editions). Additionally, Duo Desktop is compatible with Windows Server Standard, Datacenter, and Datacenter: Azure editions.
Duo Desktop relies on the Windows Security Center present in client versions of the OS, so it does not support earlier desktop versions of Windows (like Windows 7 or Windows 8.1) as they lack this feature. If Duo Desktop detects that it's running on a Windows Server, the check for Windows Security Center is skipped.
To simplify the policy selection for all of our customers, while also supporting the most Windows 10 and 11 machines, the Windows version policy in the Admin Panel supports a subset of the currently supported builds of Windows 10 and 11. As Microsoft support for Home and Pro editions of Windows terminates earlier than the Enterprise edition, the Duo OS policy will support the most recent three Windows 10 and 11 builds to capture all Windows devices.
Support for Windows 10 build 1603 ended on September 1, 2022. Support for Windows 10 build 1803 will end on January 10, 2023.
Does Duo Desktop require .NET on Windows?
Yes, as of November 1, 2022 installation on Windows requires .NET 4.7.2 or later. We recommend that you update your endpoints to the Windows desktop versions currently supported by Duo Desktop, which have a compatible .NET version preinstalled.
Does Duo Desktop support virtual machines?
Yes, Duo Desktop supports Windows and macOS virtual machines as of May 2024.
Which version of Duo Desktop supports Duo Desktop authentication?
Duo Desktop authentication requires Duo Desktop 6.12.0 for Windows or 6.12.0.0 for macOS. Duo Desktop authentication is not available for Linux.
When did Duo Device Health change to Duo Desktop?
Duo Device Health became Duo Desktop in version 6.0.0.0 for macOS, 6.0.0 for Windows, and 2.0.0 for Linux; released October 31, 2023. Corresponding admin and user interfaces will update to reflect the new name in the first half of November 2023.
Install, Upgrade, and Uninstall
Can users download and install Duo Desktop directly?
Yes, users can download Duo Desktop directly via these links:
Linux (.deb) https://desktop.pkg.duosecurity.com/duo-desktop-latest.amd64.deb
Linux (.rpm) https://desktop.pkg.duosecurity.com/duo-desktop-latest.x86_64.rpm
macOS: https://dl.duosecurity.com/DuoDesktop-latest.pkg
Windows: https://dl.duosecurity.com/DuoDesktop-latest.msi
View checksums for Duo downloads here.
Installation requires administrator privileges on Linux, macOS, and Windows. During installation if the user doesn't have admin rights they'll get prompted to provide credentials of an account that is able to install software on the client.
Can I install Duo Desktop via scripted or managed install?
Yes, see the scripted or managed install instructions.
Does Duo Desktop require elevated or administrative privileges?
Duo Desktop installation requires administrator privileges on Linux, macOS, and Windows. During installation if the user doesn't have admin rights they'll get prompted to provide credentials of an account that is able to install software on the client.
Once installed, the application should run in the normal user context, and perform health checks and posture reporting to Duo during authentication without administrator rights.
Modifying some Duo Desktop preferences after installation, like disabling automatic silent updates, will require administrator privileges.
In older Device Health application versions, if the application was mistakenly set to run as an administrator on a Windows system, it wouldn't launch or report device status at Duo authentication. This is corrected in Duo Device Health version 2.2.0. If you are experiencing this issue please update to the latest Duo Desktop version.
How do I upgrade Duo Desktop?
Duo Desktop for macOS and Windows automatically checks for updates at app launch, during each Duo authentication, and at the interval specified in Duo Desktop preferences. To manually check for updates, open Duo Desktop's preferences and click the Check Now button.
If a newer version of Duo Desktop was detected during app launch or Duo authentication, Duo Desktop icon in the menubar or systray changes to notify you of the available update. If the scheduled or manual check finds a newer version available, it will pop-up a prompt to install the update.
Duo Desktop supports automatic silent updates, meaning that the app will automatically update to a newer available release without prompting the user. Learn more about silent updates in the Duo Desktop documentation.
The package manager on a Linux operating system handles automated app updates to Duo Desktop for Linux; the app does not include its own updater service.
To perform a manual upgrade, download and install the new version over the existing one.
Can I prevent automatic Duo Desktop updates?
Yes, see the instructions for disabling silent updates.
How do I uninstall Duo Desktop?
Uninstalling the application requires administrator privileges on both Windows and macOS. See the uninstall instructions in the Duo Desktop documentation.
Troubleshooting
Why might the download button shown in the Duo prompt not work?
There are two known situations where users may not be able to use the download button shown in the Duo prompt during authentication to download Duo Desktop:
- The user is attempting to download the installer from a non-browser client (e.g. Outlook).
- The application hosting the Duo prompt has applied a sandbox attribute, which can prevent pop-ups or downloads triggered from the prompt.
As a workaround, suggest your thick-client users switch to a browser or that they try a different Duo-protected application without those limitations to install Duo Desktop for the first time, or distribute the app directly to your users via emailed download links or scripted or managed deployment.
Why do users see repeated prompts to switch apps with Microsoft Edge and Duo Desktop?
Microsoft Edge has a caveat where the user is not presented with an option to remember the choice of allowing the Duo Prompt to communicate with Duo Desktop. This can result in a frustrating experience if the user continually closes Duo Desktop, as the Duo Prompt will use our fallback method of system URI communication which opens up the dialog that asks if the user intended to switch apps.
Leaving Duo Desktop running, even in the background, will prevent most of these dialogs from appearing. There could be cases where embedded web views within other software have issues communicating with the application over HTTPS, which will cause this dialog to appear even while the application is running.
How do I enable and view diagnostic logs for Duo Desktop?
To enable diagnostic logging on macOS and Windows:
-
Open Duo Desktop.
-
Click on the menu icon and select Preferences.
-
Check the box next to "Enable detailed diagnostic reports".
Duo Desktop for Linux defaults to debug logging.
The logs can be found in the following locations:
Linux: /var/log/duo-desktop/*.log
or /var/log/duo-device-health/*.log
macOS: ~/Library/Logs/Duo\ Desktop/*.log
or ~/Library/Logs/Duo Device Health/*.log
Windows: %LOCALAPPDATA%\DuoDesktop\Logs\*.log
or %LOCALAPPDATA%\DuoDeviceHealth\Logs\*.log
How do I use the Duo Desktop Support Tool?
If you open a case with Duo Support for an issue involving Duo Desktop you may need to submit some additional information to assist with troubleshooting. We've made collecting troubleshooting information easy with a script that gathers all the necessary files, scrubs them of sensitive information, and creates a zip package ready for you to send to Duo Support.
The paths used by the support tool change between Duo Device Health named releases to Duo Desktop named releases.
The script is included with Duo Desktop version 6.0.0 and Duo Device Health version 2.26.1 and later installations for maOS and Windows at the following locations:
macOS:
-
/Applications/Duo\ Desktop.app/Contents/Resources/duo_desktop_support.sh
(Duo Desktop) -
/Applications/Duo\ Device\ Health.app/Contents/Resources/device_health_support.sh
(Duo Device Health)
Windows:
-
C:\Program Files (x86)\Duo Desktop\DuoDesktop-Support.ps1
(Duo Desktop) -
C:\Program Files (x86)\Duo Device Health\DeviceHealth-Support.ps1
(Duo Device Health)
Support Tool on macOS
The Support Tool performs the following actions:
-
Creates a zip file that will contain all of the collected information.
-
Runs
curl
to determine if a connection to Duo is available. -
Captures the following information:
- System proxy settings
- install.log
- system.log
- Duo-related crash logs
- Operating system and kernel version
-
Copies
/Users/user_name/Library/Logs/Duo\ Desktop/*.log
or/Users/user_name/Library/Logs/Duo Device Health
to zip file. -
Copies certificates associated with the loopback adapter (127.0.0.1).
-
Optional: Exports all User and Kernel logs to zip file.
-
Saves the zip file to the signed-in user’s Desktop in the format
duo_desktop_support_year-month-day-time.zip
orDHA_Support_year-month-day-time.zip
.
Running the Support Tool
-
Open a Terminal session on the system where Duo Desktop is installed.
-
Reproduce the Duo issue you are experiencing.
-
Run the following script to export the logs. In this example, all User and Kernel panic logs will be exported.
Duo Desktop:
/Applications/Duo\ Desktop.app/Contents/Resources/duo_desktop_support.sh -a
Duo Device Health
/Applications/Duo\ Device\ Health.app/Contents/Resources/device_health_support.sh -a
Additional Terminal command options
Setting | Description |
---|---|
-a | Exports all User and Kernel panic logs. |
-h | Displays a help message. |
Support Tool on Windows
The Support Tool performs the following actions:
-
Creates a zip file that will contain all of the collected information.
-
Runs
Invoke-Webrequest
to determine if a connection to Duo is available. -
Captures the following information:
- System proxy settings
- Operating system version, build and bit
- Bitlocker status
- Timezone
- Duo-related Application event logs
-
Copies
C:\Users\user_name\AppData\Local\DuoDesktop\Logs
orC:\Users\user_name\AppData\Local\DuoDeviceHealth\Logs
to zip file. -
Exports Duo Registry keys from
HKLM\SOFTWARE\Duo
andHKCU\SOFTWARE\Duo Device Health
tosystem_info.txt
in zip file. -
Copies certificates associated with the loopback adapter (127.0.0.1).
-
Optional: Export System Event logs to zip file.
-
Saves the zip file to the signed-in user’s Desktop in the format
Duo_Desktop_Support_year-month-day-time.zip
orDHA_Support_year-month-day-time.zip
.
Running the Support Tool
-
Open an administrative PowerShell command-line session on the system where Duo Desktop is installed.
-
Reproduce the Duo issue you are experiencing.
-
Run the following script to export the logs. In this example, system event logs from the last two days are exported.
Duo Desktop:
& 'C:\Program Files (x86)\Duo Desktop\DuoDesktop-Support.ps1' -eventlogs system -days 2
Duo Device Health:
& 'C:\Program Files (x86)\Duo Device Health\DeviceHealth-Support.ps1' -eventlogs system -days 2
Additional PowerShell command options
Setting | Description |
---|---|
-eventlogs | Exports System logs. Options: system |
-days | Defines a selected number of days to export from Security event logs. |
-user | Specify the username for whom to gather logs. This is necessary if PowerShell is run with administrative privileges and the admin username is different than the affected user. |
Get-Help | Displays a help message. Note: This is a built-in PowerShell cmdlet and must be called before the script.
|