With the latest announcement from Microsoft (6th of May) Platform SSO for macOS is in public preview and with that the Entra Join for macOS. This brings a ton of new possibilities in managing macOS devices with Intune. Starting from synchronizing your user's password with the local account on the device to new security options in conditional access and SSO features for third-party applications like Google Chrome.

Announcement from Microsoft: Platform SSO for macOS now in public preview - Microsoft Community Hub

Table of Contents

Prerequisites

There are a few things which needs to be in place before you can start using Platform SSO:

  • Company Portal version 5.2404.0 or newer
  • Enterprise SSO plug-in configured
  • macOS 13** (Ventura) or later
    macOS 14 (Sonoma) is recommended

Company Portal

For the Company Portal my preferred method for managed devices is to deploy it via the script provided by Microsoft on their GitHub. With that you don't have to update your LOB application in Intune:
shell-intune-samples/macOS/Apps/Company Portal
Once the Company Portal is installed, it will autoupdate with the Integrated Microsoft AutoUpdate (MAU).

Enterprise SSO Plug-in

For the Enterprise SSO Plugin.it the correct configuration is very important, in case you still have the classic Enterprise SSP Plugin configuration assigned, you will get an assignment error 10002 in Intune.
How to configure it the right way, I will show you in the next section.

Configure Platform SSO

For your configuration and especially the authentication of users you have multiple options. Either Secure Enclave, or Smart card.

With the Secure Enclave method, you have a device bound authentication with is passwordless similar to the experience users have on Windows with Windows Hello for Business. This is the recommended way of setting PSSO up, since it's more secure thanks to its phishing resistance.

If you decide to use the Password method the Entra ID password of the user will be synchronized with the local account on the macOS device.

Smart card authentication is considered passowordless as well and uses the certificate of the card and it's PIN for the authentication. Like with the Secure Enclave the local password remains untouched by Intune. (A smartcard can be a FIDO2 Token. )
Note: This option only works with macOS 14+.

I prefer and will focus on the Intune Platform SSO configuration with the Secure Enclave method. To set it up, I started by creating a new Settings catalog profile in Intune. To do so follow these steps:

  • Navigate to Intune > Devices > macOS > Configuration profiles and hit Create/New Policy
Intune ass new macOS policy
  • Choose the Settings catalog profile type and click Create.
  • In the Basic settings, define a name and an optional description.
Intune setup PSSO profile
  • Now you have to set PSSO up. You can use the following settings:
SettingValue
Extensible Single Sign On (SSO)https://login.microsoftonline.com
https://login.microsoft.com
https://sts.windows.net
https://login.partner.microsoftonline.cn
https://login.chinacloudapi.cn
https://login.microsoftonline.us
https://login-us.microsoftonline.com
Team IdentifierUBF8T346G9
Screen Locked BehaviorDo Not Handle
Registration token{{DEVICEREGISTRATION}}
Platform SSO/Authentication MethodUserSecureEnclaveKey
Platform SSO/Use Shared Device KeysEnabled
Authentication Method (Deprecated)
(only for macOS 13)
UserSecureEnclaveKey
Extension Identifiercom.microsoft.CompanyPortalMac.ssoextension
TypeRedirect
Intune Platform SSO settings catalog profile
  • After configuring these settings click Next and define a scope tag if needed.
  • In the Assignment tab assign the configuration to the user or device group of your choice.
  • To finish it click Create.

If you hate to add those settings as much as I do, you can use this JSON for an import into your environment:

Import Platform SSO configuration in Intune

User Perspective: Transition to Platform SSO

If the user has previously to the Platform SSO configuration onboarded their device, they will get a prompt for updating their configuration and performing the Entra Join process. This takes only a minute and its very easy to to. If the user cancels this process, a prompt will ask them to perform it again later.

As soon as the new configuration arrives on the device, the user will get the following notification on their device:

macOS Platform SSO Registration prompt

Once they click on it, they need to provide the local password of their device:

After providing the local password they will be promoted to sign-in with their Entra ID account and perform MFA.

After both logins, the device will be joined to Entra and PSSO will be setup.

macOS performing Entra Join

If you use the "Secure Enclave Methode" (what I would suggest) the user might have to allow the Company Portal to act as a key provider.

After those steps users are all set up and will use Platform SSO in the future.

Admin Perspective: Transition to Platform SSO

As an administrator you won't notice a lot in Intune. But there is one major change regarding the Join Type of the device. Previously Intune managed macOS devices where only "Microsoft Entra registered", once configured for Plattform SSO the join type is "Microsoft Entra joined".

macOS device with the classic Enterprise SSO Plug-in and Intune managed
macOS device with the classic Enterprise SSO Plug-in and Intune managed
macOS device with Platform SSO active and Intune managed
macOS device with Platform SSO active and Intune managed