Configure MacOs Plattform SSO

In the ever-evolving landscape of digital convenience, Apple has introduced a solution for its users in the form of Platform Single Sign-On (SSO). This innovation builds upon the Extensible Single Sign-On MDM payload, aiming to enhance the SSO experience for Apple device users, including those on iPhones, iPads, and Macs. Enterprise SSO Plug-in for Apple Devices is a small piece of code that comes with the Company Portal for macOS and Microsoft Authentication for iPadOS and iOS. This plug-in will tap into the OS subsystems when authentication is requested by supported applications.

Platform SSO is a game-changer in user authentication for Apple devices. With this new extension, users now have the ability to log in to their Mac computers through the macOS Login window using their Microsoft Entra ID credentials. After this initial login, users are seamlessly signed in to corporate applications and websites.

One of the features of Platform SSO is the synchronization of the local account password with the identity provider. This ensures that your cloud and local passwords remain identical. This results in a simplified and secure authentication process where users only need to remember one password to access their accounts across a multitude of devices. Furthermore, SSO to apps is automatically enabled immediately after the user logs into the system.

Two Robust Platform SSO Authentication Methods

Platform SSO offers support for two powerful authentication methods:

  • Password Authentication: Users authenticate with either a local or Identity Provider (IdP) password.
  • Secure Enclave-Backed Key Authentication: This method establishes SSO without impacting the local account password on a device, enhancing security.

Apple made the official announcement of Platform SSO at WWDC 2022, generating significant excitement. However, the big news is that as of Q3 2023, Microsoft Intune has integrated support for this feature. While it’s currently in preview, this development marks a substantial step forward in providing a seamless authentication experience for managed Mac devices. This is planned to be Ga in Q1 2024

Prerequisites for Platform SSO

To leverage the benefits of Platform SSO for your Apple devices, there are some essential prerequisites to meet:

  • Intune device configuration policy.
  • macOS Ventura 13.0 or later
  • Company Portal app installed, with a version of 5.2307.99 or higher (in Preview release).

Configuration Steps

Configuring Platform SSO involves several steps:

Device Enrollment: Mac devices must be enrolled using Apple’s Automated Device Enrollment

Configuration in Intune Settings Catalog Profile: Configure the Extensible SSO MDM payload using the Intune Settings Catalog profile. Specify the Authentication Method (Password or Secure Enclave-Backed Key), Registration Token, Extension Identifier, Screen Locked Behavior, Team Identifier, Type (Redirect), and relevant URLs.

Configure the following settings:

  • Authentication Method: Password
  • Registration Token: {{DEVICEREGISTRATION}}
  • Extension Identifier: com.microsoft.CompanyPortalMac.ssoextension
  • Screen Locked Behaviour: Do Not Handle
  • Team Identifier: UBF8T346G9
  • Type: Redirect
  • URLs:
    https://login.microsoftonline.com
    https://login.microsoft.com
    https://sts.windows.net
    https://login.partner.microsoftonline.cn
    https://login.chinacloudapi.cn
    https://login.microsoftonline.us
    https://login-us.microsoftonline.com

Assign the policy to managed Mac devices

Verifying Device Registration: To ensure the successful configuration and registration of the device, run the following command in the terminal: app-sso platform –s.

Leave a Reply

Your email address will not be published. Required fields are marked *