Skip to main content

Microsoft Enterprise Platform Single Sign-on for macOS

What

With Platform Single Sign-on (Platform SSO), developerswe can buildutilize SSO extensions that extend to the macOS login window, allowing users to synchronize local account credentials with an identity provider (IdP). In this case, we are combining what is provided here: Microsoft Enterprise S... | FileWave KB with Platform Single Sign-on for macOS - Apple Support. The local account password is automatically kept in sync,sync after this configuration, so the cloud password and local passwords will match. Users canwill also still be able unlock their Mac with Touch ID and Apple Watch. The end result will allow the user to login with their Entra ID and password or their local account username with their synced Entra ID's password.

8a1b12f119682c525692a750d75d8f6f.png

When/Why

NowAn Administrator who is managing a fleet of MacBooks may want to use this for another level of security or for taking advantage of the full integration that wemacOS knownow whatoffers thiswith functionSSO. isYou usedare for,offered when/whythe wouldsame webenefits useas it?listed in: Microsoft Enterprise S... | FileWave KB except with the added layer of further syncing the local account with your identity provider account.

How

AndBelow now,are sincethe wefollowing knowrequirements everythingand else,configuration howcreation dosteps wefor deployment.

Platform SSO Requirements:

  • macOS 13 or later

  • A mobile device management (MDM) solution that supports the Extensible Single Sign-on payload which includes support for Platform SSO (enrolled in FileWave via DEP or User approved enrollment in our case).

  • Support from the IdP for the Platform SSO authentication protocol

  • One of two supported authentication methods:

    • Authentication with a Secure Enclave–backed key: With this method, a user who logs in to their Mac can use thisa functionSecure Enclave–backed key to doauthenticate somethingwith special?the IdP without a password. The Secure Enclave key is set up with the IdP during the user registration process.

    • Password authentication: With this method, a user authenticates with a local password or an IdP password.

Note: If the Mac is unenrolled from the MDM solution, it’s also unregistered from the IdP.

macOS
FileWave Download.png

Digging Deeper

Want to provide more detail or other examples? Want to wax poetic? Do that here, and keep the top of these documents crisp and clean.