AuthLite Interactive Documentation
FEATURES: What can AuthLite Do? TOKEN TYPES: What "Factors" are supported? INSTALL: How and where to install AuthLite? CONFIGURE AuthLite for your needs CHOOSE USERS: Choose 2-factor Users ENFORCE 2-factor Logons ADMINISTER AuthLite Tokens LDAP logon support/enforcement VPN and RADIUS Configuration How to Log In Event Logging
MacOS install walkthrough
Please see this video for information on configuring an AD domain-joined MacOS system to authenticate AuthLite users with 2-factor at the logon screen.

Please note that unlike Windows workstations, this does not enforce 2-factor authentication for mobile accounts when the workstation is offline, nor for FileVault full disk encryption. At boot time, the FileVault logon will still just be the user's AD password. Also, when the machine is offline, the mobile account will allow logon with just the AD password as well.

When AuthLite is configured properly on the server side, the user will still require a 2-factor logon in order to obtain a Kerberos ticket and network logon credentials.