Description

When integrated with Microsoft Entra ID, Platform Single Sign-on for macOS (Platform SSO) allows end users to authenticate to their computers using a smart card, their Microsoft Entra ID credentials, or with a secure enclave key.

When using secure enclave as the authentication method, a secure, hardware-bound, non-phishable authentication factor used by Microsoft Entra ID to access organization resources. In this "Secure Enclave key" mode, the local account credentials are unchanged and knowledge of the local account password fulfills the need for multiple factors for conditional access policies.

This article provides steps for a minimum viable configuration of Platform SSO on devices running macOS 14 or later.

Notes

This article assumes that creating new users at the login window is desired functionality.
This configuration can only be deployed to devices after the Microsoft Company Portal application has been installed.
A this time, Entra ID does not support Apple’s Simplified Setup process that handles first time registration during Setup Assistant.

Configuring the Profile

In Jamf School navigate to Profiles > Overview.
Click on the + Create Profile button in the upper right.
Select macOS as the platform.
Select Device Enrollment as the enrollment type and click Next.
Enter a name and description for the profile and click Next.
Click Finish to create the profile.
In the list of payloads on the left click on the App Extension SSO payload.
Scroll up to the top of the page and click the Configure button to populate the available settings.
Adjust the following settings:
- Sign-On Type: Redirect
- Extension Identifier: com.microsoft.CompanyPortalMac.ssoextension
- Team Identifier: UBF8T346G9
- URLs:
- Authentication when screen is locked: Do Not Handle
- Use Platform SSO: Enabled
- Account Display Name: A name that identifies your Entra Tenant to the user.
- Authentication Method: Password
- Use Shared Device Keys: Enabled
  1. Note: If you don’t want Platform SSO to handle creating new users at the login window, this can be left disabled.
- Enable Authorization: Enabled
  1. Note: If you did not enable Use Shared Device Keys this option will not be available.
- Create New User at Login: Enable
  1. If you did not enable Use Shared Device Keys this option will not be available.
- Account Authorization Type: Standard
- New User Account Type: Standard
- Token-to-user mapping:
  1. preferred_name
  2. name
- New User Authentication Methods:
  1. Password: Enabled
Click the Save to save the changes to the configuration profile.

Deployment Notes

Once configuration is complete this profile can be deployed to devices where the Microsoft Company Portal application is already installed.
- For installation steps see, the Jamf School Documentation.
For best results deploy this configuration with a smart group that finds devices that already have the application installed. This will prevent the profile being deployed to devices that do not meet the prerequisite.

Jamf Connect Menu Bar Password Change Window not Passing Device Compliance with Entra ID

Setting Up Jamf Account SSO with an Identity Provider

Renew SAML SSO Certificate in Jamf Pro with Entra ID

Setting Up and Deploying Jamf Connect with Google Identity for Jamf School

Deploying Jamf Connect & Self Service+ with Jamf School

Configuring Entra ID for Platform SSO for macOS with Jamf School

Description

Notes

Configuring the Profile

Deployment Notes