Microsoft Enterprise Platform Single Sign-on for macOS

What

With Platform Single Sign-on (Platform SSO), we can utilize SSO extensions that extend to the macOS login window, allowing users to synchronize local account credentials with an identity provider (IdP). In this case, we are combining what is provided here: Microsoft Enterprise S... | FileWave KB with Platform Single Sign-on for macOS - Apple Support. The local account password is automatically kept in sync after this configuration, so the cloud password and local passwords will match. Users will also still be able unlock their Mac with Touch ID and Apple Watch. The end result will allow the user to login with their Entra ID and password or their local account username with their synced Entra ID's password.

8a1b12f119682c525692a750d75d8f6f.png

When/Why

An Administrator who is managing a fleet of MacBooks may want to use this for another level of security or for taking advantage of the full integration that macOS now offers with SSO. You are offered the same benefits as listed in: Microsoft Enterprise S... | FileWave KB except with the added layer of further syncing the local account with your identity provider account.

How

Below are the following requirements and configuration creation steps for deployment.

Platform SSO Requirements:

Note: If the Mac is unenrolled from the MDM solution, it’s also unregistered from the IdP.

WS-Trust federation

WS-Trust federation is supported in macOS 13.3 or later. This allows Platform SSO to successfully authenticate users when their account is managed by an IdP federated with Microsoft Entra ID.

Deployment:

Here is an example Profile Fileset ready to deploy in your environment with the default configuration:

Screenshot 2024-03-21 at 9.25.19 AM.png

Please Note: On macOS devices, Apple requires the Company Portal app be installed. Users don't need to use or configure the Company Portal app, it just needs to be installed on the device.

End-user Interaction required:

After successful deployment, in the notifications area of the user's device, they should be presented with a message:

Screenshot 2024-03-21 at 9.15.56 AM.png

Screenshot 2024-03-21 at 9.16.31 AM.png

Screenshot 2024-03-21 at 9.17.10 AM.png

Screenshot 2024-03-21 at 9.17.52 AM.png

After signing in and registering, when you go to System Settings > Users & Groups > click the 'i' next to your Username, you should be able to confirm everything went successfully with the new settings here: