top of page

macOS Platform Single Sign-On and You



Presented by: Sean Rabbit, Sr. Consulting Engineer, Identity and Access Management

Presented on: Friday Jan 10th, 2025



Apple’s Platform Single Sign-On is now supported by Microsoft Entra ID and Okta Identity Engine.  Learn more about how to deploy this feature with Jamf, dispel some common misconceptions on what PSSOe provides, and see how easy it is to deploy secure credentials with Jamf Pro.


  A Bit About Sean:


Sean is a noted expert in the field of management and security for Apple devices, focusing on helping organizations succeed tying their identity stack to the security and management needs. He’s received a patent for invented technologies, presented at multiple conferences, lectured at Penn State University, and been an expert at multiple events and shows. In addition, Sean helped lead the creation of the sales strategy and technical training for the Jamf Connect identity product for macOS following the acquisition of Orchard and Grove by Jamf in 2019. In this short period of time, over 3.5 million devices worldwide use the software in seven different languages by organizations as diverse as Fortune 50 companies to K12 and higher ed labs. As an active member of the Mac Admin community, he is a trusted peer for security and management.



  LaunchPad Podcast


Watch to the full LaunchPad episode on Apple Podcast or Spotify that includes:

  • Gravity Times, the latest Apple and Jamf tech news,

  • This month's feature guest presentation, and the

  • Audience Q&A.






  Presentation Resources



  Q&A


  1. Q: Management at my company directed me to look into PSSOe to resolve issues with Microsoft app logins, with users getting frequently logged out of their desktop apps. In your opinion would this be useful for that, or are we chasing our tail?


    A: PSSOe and SSOe are both excellent ways to eliminate the constant re-authenticating. But be sure to check your Entra ID Conditional Access policies for any policies with a punishingly low Sign In frequency too. That is a way to really irritate end users and is generally incompatible with single sign-on extensions. Contact Microsoft support for more details on that.


  1. Q: What can Jamf Connect do that PSSOe can’t? I’m thinking zero-touch workflows for account creation. Is there anything else?


    A: 100% true. You need a local user account to set up a machine for PSSO. So you'll need something to create that first account like either macOS Setup Assistant or Jamf Connect. And, while the specification allows for group membership for privilege management, currently neither of the IDPs officially support that. Consider making everyone a standard account then use a tool like Jamf Connect or SAP-Privileges to elevate a user to admin.


  1. Q: Can PSSOe be pushed out with zero user involvement or them even noticing it?


    A: Nope. A user absolutely must interactively register the computer and the account to get PSSO to work.


  1. Q: Does Jamf see Platform SSO as a competitor to Jamf Connect?


    A: Not really. The tools do different things. And if you're using Microsoft Entra ID and the recommended Secure Enclave key authentication method, you can use Jamf Connect to keep the local account password in sync and still use the non-exportable hardware bound authentication method of PSSO to protect your cloud resources. Better together.


  1. Q: Can it work with jamf connect?

    A: See above. :)


  1. Q: When PSSO is deployed, what is the mechanism to restrict authentication to users in a specific Azure Group?


    A: Either use Jamf Pro scoping to only deploy the configuration profiles to a specific group of users / machines, or use a Microsoft Entra ID Conditional Access policy to only allow strong authentication for specific users. (But why would you want to deny your users a secure, non-exportable, hardware bound authentication method?)


  1. Q: Is PSSO intended to work exclusively with “cloud” identity providers, rather than on-prem?


    A: Yes. And no. You need a cloud identity provider, but you could use the PSSO configuration to obtain Kerberos tickets to access on premises resources. See https://community.jamf.com/t5/jamf-pro/configure-kerberos-sso-for-microsoft-entra-platform-single-sign/m-p/323781#M278609 for more details.


  1. Q: How is PSSO different from or better than using the Single Sign-on extension payload in Jamf Pro? That is what we are currently using.


    A: If you're using a Password authentication method, you get all the features of the SSO payload you're already using AND local account password sync. If you're using Secure Enclave key authentication, you are improving your security posture by using a non-exportable, hardware bound authentication method to access Entra resources.


  1. Q: Is there any chance that Jamf Connect will one day work along side PSSO so that Jamf Connect will create the account and then leverage PSSO for future logins?


    A: Absolutely, and the time is now. You can use the current Jamf Connect zero touch onboarding (https://www.jamf.com/blog/zero-touch-deployment-with-jamf-pro-and-jamf-connect/) to make a user account, Jamf Pro to report on PSSO registration status, and then use Jamf Pro to turn on/off Jamf Connect as needed.


  1. Q: What are the problems if you use separate SSO and platform SSO profiles with Entra?


    A: You can only have one PSSO configuration per device. You can have multiple Redirect type SSO configurations, but if they have the same hosts redirected, you will experience "Unexpected results" (aka it's not gonna work.) Two configurations enter, one fustrated user leaves.


  1. Q: When you use the PSSO does it support password change at the filevault login screen. Like if I change the password in the IDP will it change at that login window?


    A: The answer is "an unlikely maybe." You can configure macOS 15 Sequoia to use FileVault with PSSO, but you must have a network connection, and that probability is limited.


  1. Q: When can I use my Azure Admin Group for admin functions on my macs? A: The configuration profile allows for it, but it is not officially supported at this time. Contact Microsoft for more information.


  1. Q: We're trying to deploy PSSO alongside Jamf Connect. The first user is able to register, any later user can't register with PSSO...What did I do wrong?


    A: First, deploy Jamf Connect to create the first user account. Second, register the computer by having that first user sign in and authenticate with PSSO. Third, disable Jamf Connect. Users should be allowed to create new accounts at the macOS login screen (NOT THE FILEVAULT SCREEN!) as long as Use Shared Key was enabled and you've configured PSSO to allow to make new user accounts.


  1. Q: I am currently in the process of getting ready to deploy PSSO to our environment, its working flawlessly for new enrollments, fresh from setup assistant and SYM, but one thing i’m having problems with is migrating current users who are setup with KE and password syncing there. Do you have any advice or documentation on a good process for that, and/or a way to force the trigger for Registration after the company portal app is installed?


    A: Macadmins Slack will provide: https://macadmins.slack.com/archives/C05BXC9EJDQ/p1732107667597959?thread_ts=1729873435.148069&cid=C05BXC9EJDQ


  1. Q: Any best recommendations for switching SSO Profiles to Platform SSO Profiles (specifically in Entra)?


    A: First, clone the SSOe profile. Second, add the additional keys for PSSO to the cloned profile. Adjust the Scope so only ONE profile hits a machine (either SSOe or PSSO, never both).


  1. Q: Could you clarify the differences between Okta Desktop MFA and Platform SSO on macOS?


    A: Okta Desktop MFA is an application that is added to the loginwindow process, much like Jamf Connect. It tosses a screen up as part of the login that requires a user authenticate with Okta before the user session will start. It can be used in conjunction with Platform Single Sign-On or separate. It basically adds an MFA requirement to login to the Mac.


  1. Q: To login locally to the computer after setting up PSSO on said machine will need to be on a network?


    A: It Depends. You can configure PSSO to always require a network connection, or you can leave that option undefined, or you can allow for a "grace period" before network authentication is required.


  1. Q: Has there been any info from Entra for using the groups option for authorization requests and admin rights at account creation?


    A: I do not work for Microsoft and don't want to speak for them and get it wrong. I'd contact Microsoft support for information about this preview feature.


  1. Q: Do we mere mortals know about a timeline for Google to support PSSO?


    A: They currently have no public plans announced for any sort of support for PSSO for Google as an identity provider. Google Chrome, however, does have functionality to take advantage of Microsoft SSOe. Keep an eye out for future updates.


  1. Q: We already have Device compliance and Mac are registered on Azure AD, will enabling PSSO will re-register the devices on AAD ? Creating duplicates?


    A: You will see a new device object in Microsoft Entra with the type of "Microsoft Entra joined" instead of "Microsoft Entra registered". Jamf Pro 11.8 and greater will update compliance status on this new object automagically.


  1. Q: Are there any specific procedures for migrating Macs to PSSO that are LDAP/AD bounded? Or is a factory reset required?


    A: There are tools and scripts available to "demobilize" the user account to become a standard local user. Run that tool first, then un-bind the Mac from AD. Once that is complete, PSSO can be deployed.


  1. Q: Since the world is never simple is it possible to configure PSSOe to also get kerberos tickets?


    A: With Microsoft Entra ID, yes. https://community.jamf.com/t5/jamf-pro/configure-kerberos-sso-for-microsoft-entra-platform-single-sign/m-p/323781#M278609


  1. Q: In order to deploy the PSSOe on Macs, Can we Just do the modifications on the extensible Single Sign on and enable the PSSOe in the same configuration profile ?


    A: Please refer to Question 15.


  1. Q: Hi Sean, Long time no chat. Do you happen to know if there is a way to set the Company Portal as a password provider via a profile?


    A: I believe this question is in regards to being an app used by AutoFill & Passwords in Safari. This can't be programatially set at this time, but it's an EXCELLENT feedback to send to Apple as there are defifnitely organizational needs for that.


  1. Q: Can we create a user account with the help of PSSOe like we do with Jamf Connect?


    A: Yes, but only after the device is registered with PSSO and the configuration profile enables the ability to create new users.


  1. Q: Been testing Secure Enclave registrations, seemed to work well for a couple weeks but now I’m daily being asked to register the device, and each time it creates a new device in MS Entra portal – I now have 5 duplicates of this device in Entra portal.



    I presume this is a bug? Any way to reduce / mitigate this?


    A: Remember the world of different support options we talked about in the session? This is one where getting Jamf and Microsoft on the case is a good idea. The PSSO part is probably not the root cause, but Microsoft support will probably want you to look at conditional access policies with a Sign In frequency set.


  1. Q: Okta announced Just In Time local account creation in their release notes today. Is this a part of PSSO?


    A: Yes!


  1. Q: Do the entries added by Jamf Connect in directory utiliity need to be removed before deploying PSSO?


    A: Nope!


  1. Q: we have AD bound macs, and are looking to move away from that. will we need to delete them from AD to enroll in PSSO?


    A:  Please refer to Question 22.


  Jamf Feature Requests

Feature requests from this month:


Past Feature requests:

469 views0 comments

Comments


bottom of page