macOS Platform SSO with Workspace ONE UEM and Entra ID as Identity Provider

Introduction:

After the release of the Single Sign On Extension for macOS, last year at WWDC23 Apple Announced the improved version of this: Platform SSO for macOS.

https://support.apple.com/en-gb/guide/deployment/dep7bbb05313/web

Single Sign On Extension is used to integrate with your company's Identity Provider (IDP) and sync attributes without the need of a domain or local connectivity. Most common use case is to sync the users credentials and make sure the password keeps up to date. (from Active Directory or Entra ID for example)

From the last years release with Platform SSO and with macOS Sonoma (14), Apple added a couple more features:

1. User Enrollment and Registration Status in System Settings:

   • Users can register their device or user account for use with SSO directly in System Settings.
   • The menu it
     em displays current registration status and any errors, enhancing user transparency.
   • Provides users with clear feedback on the registration process and any necessary actions.

2. Local Account Creation by Users:

   • Facilitates account management in shared deployments by allowing users to create local accounts using IdP credentials.
   • Users can log into a Mac with FileVault unlocked and create a local account using their IdP user name and password or a smart card.
   • Requires completion of Setup Assistant, MDM enrollment with bootstrap tokens, and specific configuration settings.

3. Expanded Authorization Using IdP Credentials:

   • Allows users who don't have a local user account on the Mac to use their IdP credentials for authorization prompts.
   • Users can utilize IdP accounts for macOS administrator authorization prompts, based on group membership.
   • Enhances flexibility and usability by extending authorization capabilities to non-local users.

4. Dynamic Group Membership Updates:

• Updates group membership of users whenever they authenticate with their IdP.
• Granularly manages permissions of IdP users in macOS based on group membership.
• Three array keys available for defining group membership: AdministratorGroups, AuthorizationGroups, and AdditionalGroups.

This would allow an admin to configure everything from the console and integrate the macOS User accounts with their supported third party Identity Providers.

Requirements:

• macOS 13 or later
  
  Although macOS 13 is support features i would recommend starting support from macOS 14 and above.

• Intune Company Portal 2408+

• A mobile device management (Workspace ONE UEM) solution that supports the Extensible Single Sign-on payload which includes support for Platform SSO
  
  From the release of Workspace ONE UEM 23.06 these features are natively configurable within the console: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2306/rn/vmware-workspace-one-uem-2306-release-notes/index.html 

• Support from the IdP for the Platform SSO authentication protocol

Because it's a Identity Provider feature, the support from technology mainly has to come from the Identity Providers. Currently both Okta and Entra ID have announced support for the feature:

Okta

https://www.okta.com/blog/2023/07/desktop-password-sync-unlock-the-benefits-of-platform-sso-for-macos/

Entra ID

https://techcommunity.microsoft.com/t5/microsoft-entra-blog/coming-soon-platform-sso-for-macos/ba-p/3902280

Workspace ONE Access

To use Workspace ONE Access with Platform SSO as an Identity Provider, this is still on the roadmap and we can expect this to be released later this year.

You can expect a new or updated blog post whenever that has been released.

• One of two supported authentication methods:

  • Authentication with a Secure Enclave–backed key: With this method, a user who logs in to their Mac can use a Secure Enclave–backed key to authenticate with the IdP without a password. The Secure Enclave key is set up with the IdP during the user registration process.

  • Password authentication: With this method, a user authenticates with a local password or an IdP password.

Note: If the Mac is unenrolled from the MDM solution, it’s also unregistered from the IdP.

Configuration:

- Workspace ONE UEM 2306

- Intune Company Portal (2408+)

To configure this properly Apple has release the new features in payloads and you will need to configure this with an MDM solution like Workspace ONE UEM. In this setup i will integrate the SSO Extension with Entra ID:

Create a new device Profile in UEM and configure the SSO Extension:

Configure the following values:

Extension Identifier: com.microsoft.CompanyPortalMac.ssoextension

Type: Redirect

Team Identifier: UBF8T346G9

URLs:

https://login.microsoftonline.com

https://login.microsoft.com

https://sts.windows.net

https://login.partner.microsoftonline.cn

https://login.chinacloudapi.cn

https://login.microsoftonline.de

https://login.microsoftonline.us

https://login-us.microsoftonline.com

If you scroll down in the profile you will have the 'new' Platform SSO settings (if not please let your EUC contact know so we can help you enable it) 

Authentication method:  To completely remove passwords, you can integrate with the Macs Secure Enclave, but also regular Passwords are supported. These settings are configurable separate for macOS 13 and macOS 14 (visible in the UEM console)

Registration token: You can leave this empty, is not required

Account display name: This is the display name that will show for example in the notification:

Groups: Can be configured to configure Groups to allow or not allow authorization in for example elevation on macOS Devices: 

Using nonlocal IdP user accounts at authorisation prompts: Platform SSO expands the use of IdP credentials to users who don’t have a local user account on the Mac for authorisation purposes. These accounts use the same groups as Group management. For example, if the user is a member of one of the administrator groups, the account can be used at macOS administrator authorisation prompts. This excludes any authorisation prompts that require secure token, ownership permissions or authentication by the currently logged in user.

(macOS 14 Features)

Enable Authorization: With this feature you can elevate authentication to allow Identity Provider account to authenticate on the Mac.

Create User at login: This would allow a user to be created when authenticated in the login window.

Account name: 

Under Entra ID in the Integrated SSO application you can see the Attributes used for SAML. I have used user.userprincipalname to integrate the UPN to the login screen.

Full name: user.displayname

User Authorization mode: Specify the authorization level of the account created on the device. This will keep up to date with authentication to the IDP.

New User Authorization mode: Specify the level of authorization of new users created.

Besides de profile, make sure you upload and push the Intune Company Portal in UEM:

That's it, no configuration for the Intune Portal needed, for now.

User Experience:

After the profile and application are installed on your Mac, this prompt should show:

This will ask the use to register with Entra ID with the Company Portal application. No need to open up the Company Portal application.

Next it will prompt the user to authenticate and sync the local password with the Entra ID user

After that the registration process starts, in this example i use password for authenticate. This can be much more seamless with passwordless authentication methods used:

After the registration is done, a last prompt is to validate the password. (Not needed if the password is already in sync and valid)

If you go to System Preferences - Accounts, You can see the Platform SSO is configured:

In terminal you can enter app-sso platform -s to see if all the config of the profile has been configured correctly:

Logout and login as a different user:

And you can see this new user is an Standard user: (configured in the profile)

Troubleshooting

A important troubleshooting method is the terminal command, like mentioned above: app-sso platform -s 

In Console Utility filter on Mac SSO Extension or/and AppSSO processes:

Also if you would go to Directory Utility, you can find Platform SSO in the Directory Editor: