Page tree
Skip to end of metadata
Go to start of metadata

The Moonshot Client for macOS is the macOS implementation of the Moonshot Identity Manager and the Moonshot mechanism in one package. When installed, it allows many macOS applications to make use of Moonshot for authentication with few, or no, modifications.

There is only one version of the macOS client that is compatible with the currently supported macOS platforms.


Known Issues

  • The Moonshot Identity Manager ( is currently not signed with Apple production certificates. This is by design to allow the application to operate outside the macOS sandbox.

1. System Preparation

1.1. Get the macOS Client

Download the macOS client here:

2. Install the macOS Client

Once you have the macOS client, installation is simply a matter of opening the downloaded DMG archive, and double-clicking the installer to launch it.

You will be launched into the install wizard for the Moonshot macOS Client:

Before the macOS Client installation proceeds, you will be warned that the software requires a reboot before it is functional.

Because we are installing a system daemon, you really do need to restart the system for Moonshot to work.


If necessary, you will be prompted to enter a password for a user that has privileges to install software on this computer. It may be your own username.


3. Identity Selection

Users will use the Moonshot Identity Manager to select identities when prompted.

You can also read the Moonshot Identity Manager guide.

4. Next Steps

You now have all of the necessary Moonshot GSS-EAP libraries and configuration for the application/service on your machine to use Moonshot. The next step is to install/configure that application/service as necessary.

5. Issues

Newer versions of macOS feature the so-called App Sandbox, which Apple uses to try to make macOS more secure against system breaches. The side effect is that all Unix applications resident in /usr/bin, notably OpenSSH Client and curl, will not load the Moonshot GSS-EAP mechanism when resident there. To 'derestrict' the application, use the sudo command to copy the application from /usr/bin to /usr/local/bin (and creating that directory where necessary), and adjusting the /etc/paths file to load applications from /usr/local/bin first.