With the latest announcement from Microsoft (6th of May) Platform SSO for macOS is in public preview and with that the Entra Join for macOS. This brings a ton of new possibilities in managing macOS devices with Intune. Starting from synchronizing your user's password with the local account on the device to new security options in conditional access and SSO features for third-party applications like Google Chrome.
Announcement from Microsoft: Platform SSO for macOS now in public preview - Microsoft Community Hub
Table of Contents
- Prerequisites
- Configure Platform SSO
- User Perspective: Transition to Platform SSO
- Admin Perspective: Transition to Platform SSO
Prerequisites
There are a few things which needs to be in place before you can start using Platform SSO:
- Company Portal version 5.2404.0 or newer
- Enterprise SSO plug-in configured
- macOS 13** (Ventura) or later
macOS 14 (Sonoma) is recommended
Company Portal
For the Company Portal my preferred method for managed devices is to deploy it via the script provided by Microsoft on their GitHub. With that you don't have to update your LOB application in Intune:
shell-intune-samples/macOS/Apps/Company Portal
Once the Company Portal is installed, it will autoupdate with the Integrated Microsoft AutoUpdate (MAU).
Enterprise SSO Plug-in
For the Enterprise SSO Plugin.it the correct configuration is very important, in case you still have the classic Enterprise SSP Plugin configuration assigned, you will get an assignment error 10002 in Intune.
How to configure it the right way, I will show you in the next section.
Here are some more details about that: Intune Assignment Error 10002: Platform SSO | scloud
Configure Platform SSO
For your configuration and especially the authentication of users you have multiple options. Either Secure Enclave, or Smart card.
With the Secure Enclave method, you have a device bound authentication with is passwordless similar to the experience users have on Windows with Windows Hello for Business. This is the recommended way of setting PSSO up, since it's more secure thanks to its phishing resistance.
If you decide to use the Password method the Entra ID password of the user will be synchronized with the local account on the macOS device.
Smart card authentication is considered passowordless as well and uses the certificate of the card and it's PIN for the authentication. Like with the Secure Enclave the local password remains untouched by Intune. (A smartcard can be a FIDO2 Token. )
Note: This option only works with macOS 14+.
I prefer and will focus on the Intune Platform SSO configuration with the Secure Enclave method. To set it up, I started by creating a new Settings catalog profile in Intune. To do so follow these steps:
- Navigate to Intune > Devices > macOS > Configuration profiles and hit Create/New Policy
- Choose the Settings catalog profile type and click Create.
- In the Basic settings, define a name and an optional description.
- Now you have to set PSSO up. You can use the following settings:
Setting | Value |
---|---|
Extensible Single Sign On (SSO) | https://login.microsoftonline.com https://login.microsoft.com https://sts.windows.net https://login.partner.microsoftonline.cn https://login.chinacloudapi.cn https://login.microsoftonline.us https://login-us.microsoftonline.com |
Team Identifier | UBF8T346G9 |
Screen Locked Behavior | Do Not Handle |
Registration token | {{DEVICEREGISTRATION}} |
Platform SSO/Authentication Method | UserSecureEnclaveKey |
Platform SSO/Use Shared Device Keys | Enabled |
Authentication Method (Deprecated) (only for macOS 13) | UserSecureEnclaveKey |
Extension Identifier | com.microsoft.CompanyPortalMac.ssoextension |
Type | Redirect |
- After configuring these settings click Next and define a scope tag if needed.
- In the Assignment tab assign the configuration to the user or device group of your choice.
- To finish it click Create.
If you hate to add those settings as much as I do, you can use this JSON for an import into your environment:
User Perspective: Transition to Platform SSO
If the user has previously to the Platform SSO configuration onboarded their device, they will get a prompt for updating their configuration and performing the Entra Join process. This takes only a minute and its very easy to to. If the user cancels this process, a prompt will ask them to perform it again later.
As soon as the new configuration arrives on the device, the user will get the following notification on their device:
Once they click on it, they need to provide the local password of their device:
After providing the local password they will be promoted to sign-in with their Entra ID account and perform MFA.
After both logins, the device will be joined to Entra and PSSO will be setup.
If you use the "Secure Enclave Methode" (what I would suggest) the user might have to allow the Company Portal to act as a key provider.
After those steps users are all set up and will use Platform SSO in the future.
Admin Perspective: Transition to Platform SSO
As an administrator you won't notice a lot in Intune. But there is one major change regarding the Join Type of the device. Previously Intune managed macOS devices where only "Microsoft Entra registered", once configured for Plattform SSO the join type is "Microsoft Entra joined".
1 Response
[…] For the following configuration you have two pre-requirements:Platform SSO configured and Google Chrome installed. Entra Join & Platform SSO for macOS with Intune | scloud […]