¶ Platform SSO
In order to enable SSO on macOS devices and allow users to log in with their Entra credentials as well as loging in with the Phishing Resistant Multi-Factor Authentication Secure Enclave, Platform SSO must be implemented. Previously, there were three other tools to achieve a similar functionality, namely Domain Join, Microsoft Enterprise SSO plug-in, and Kerberos SSO. Platform SSO combines them in one tool to deploy, it is the Microsoft prefered and recommended option.
¶ Prerequisites
- macOS 13.0 and newer
- Microsoft Intune Company Portal app version 5.2404.0 and newer deployed to the devices
- Microsoft Single Sign On extension if Chrome is being used
- An Apple T2 Security Chip or Apple Chips for Secure Enclave
For instructions on how to deploy Cloud Kerberos Trust to access local file shares without a password, see whfb-cloud-kerberos-trust.
¶ Deploying Platform SSO
Microsoft recommends using Secure Enclave as the authentication method when configuring Platform SSO
¶ Intune
MS Documentation: https://learn.microsoft.com/mem/intune/configuration/platform-sso-macos
-
Create the Extensible Single Sign On (SSO) Intune Settings Catalogue Policy
-
Enter these values and deploy the policy to the desired devices
-
The user will be prompted to login with their Entra credentials and MFA in order to enable Platfrom SSO and join the device to Entra
¶ Adding Non-Microsoft apps
-
In order to enable SSO on non-Microsoft apps select "Extension Data" in the settings picker
-
In Extension Data, add the following keys and values:
- AppPrefixAllowList
Type: String
Value: The prefixes of your apps (eg. com.fortinet., com.apple. ...)
You can get the full app name in the Intune portal, or run this command in a Terminal on your Mac.
osasscript -e 'id of app "Your app name here"'
-
browser_sso_interaction_enabled
Type: Integer
Value: 1 -
disable_explicit_app_prompt
Type: Integer
Value: 1
¶ Enforcing Secure Enclave as MFA
-
To enforce Secure Enclave as MFA, create a Conditional Access Policy, and choose Windows Hello for Business as the authentication type, it includes Secure Enclave.
-
To login with Secure Enclave, do not enter the email at the Entra login page. Choose login options, and then choose "Face, fingerprint, PIN or security key" to login.
For the user to go "passwordless", you would need to scramble the password from the user in Entra or AD to a strong unknown value, as a Passkey is an alternative login method, and a hacker could use the password to login instead.
¶ Validating Functionality & Troubleshooting
To verify if Platfrom SSO has been deployed successfully on a device, enter app-sso platform -s into a Terminal on a Mac and you should see an SSO Token.
Note: The Microsoft Intune Company Portal app functions as the authentication broker. If the app stops working, the authentication breaks.