Humans, although at the apex of the natural world’s hierarchy, struggle with the challenge of recalling numerous usernames and passwords to unlock their devices and applications❌. Fortunately, Microsoft has introduced Entra ID single sign-on (SSO), a convenient solution that allows users to access all their apps using just one set of credentials. This means users no longer need to commit multiple passwords to memory!
Following this, Microsoft has introduced Platform SSO for macOS/Microsoft Entra Join for macOS that streamlines the Entra ID account authentication process using Microsoft Intune🔐. It was initially announced as a private preview feature. Now it is available in public preview!
This enhancement, highly anticipated by Mac users, is set to provide additional security to macOS devices enrolled in Microsoft Intune. Let’s first know about the existing SSO extension for Apple devices.
Microsoft Enterprise SSO Plug-in for Apple Devices
Microsoft Enterprise SSO plug-in enables Entra ID users to achieve device-wide single sign-on for all apps and websites on their Apple devices. This helps users to sign into their Macs using passwordless or passwords managed and validated by Entra ID.
To provide the best protection, Microsoft worked with Apple to develop this SSO plug-in for Entra ID accounts. It offers compatibility across all applications, including the older ones that support Apple’s in-built Extensible single sign-on. Currently, it is available built-in for Microsoft Intune Company Portal and the Authenticator app on iOS and iPad devices.
Requirements for Enabling Microsoft Enterprise SSO Plug-in
- Microsoft Intune Company Portal app must be installed on the device.
- The macOS should run on 10.15 and later.
- The device needs to be registered in Mobile Device Management (MDM), such as via Microsoft Intune.
- To meet Apple’s security requirements, it’s necessary to push the configuration that activates the
- Enterprise single sign-on (SSO) plug-in to the device.
Platform SSO for macOS (Microsoft Entra Join for macOS)
Platform single sign-on (SSO) is an upgrade of the existing Microsoft Enterprise single sign-on extension. With this new feature, you can log in to your Mac computer using your work credentials from Microsoft Entra ID. You’ll be automatically signed into your work apps and websites without having to enter your password again and again. It’s like having one key to unlock multiple doors. It allows users to sign into their Macs using passwordless or passwords managed and validated by Entra ID.
Requirements for Platform SSO for macOS
- Deploy Microsoft Enterprise SSO plug-in.
- Register for Microsoft Entra ID multifactor authentication.
- Update macOS devices to macOS 13(Ventura) or higher while Microsoft’s plugin works on 10.15 and higher.
Currently, the public preview of Platform SSO will work with Microsoft Intune MDM only. As said earlier, you can use the built-in configuration profile settings to enable the Microsoft Enterprise SSO plug-in and add old apps to an allowlist. Now,
How Platform SSO Would be Helpful for macOS Users?
✅ It removes the necessity for security keys and additional hardware when authenticating users on Mac devices.
✅ As passwords are a primary attack vector, it allows users to go passwordless by using Touch ID to unlock their device.
✅ When you use Touch ID to log in, it uses a device-bound cryptographic key behind the scenes to keep signed in on Entra ID.
✅ It integrates with Secure Enclave – a secured sub-system included in modern Macs to enhance security.
✅ It uses phishing-resistant credentials based on Windows Hello for Business backed by Apple’s hardware.
✅ It allows admins to configure end-user authentication methods whether to use phishing-resistant or traditional passwords as authentication methods.
In addition, the duty to keep you signed in across your apps will be done perfectly by the existing Microsoft Enterprise SSO plug-in.
IMPORTANT: With the plan to roll out Platform single sign-on (SSO) capabilities for Mac devices, users who don’t want to completely remove passwords from Entra ID sign-ins can still sync their local account passwords with Entra ID. So that users can use their identity provider password to log in to their Macs.
Microsoft Intune Employee Onboarding and Platform SSO for macOS
Platform single sign-on (SSO) for Mac enterprises/ Entra join for Platform SSO streamline the process of employee onboarding for Microsoft 365 users. It removes the requirement to open the company portal app to access resources through conditional access on Intune-managed Macs.
Additionally, to assist organizations in device management, Microsoft has compiled a list of 10 ways Microsoft Intune improves Apple device management.
Platform SSO for macOS FAQs
Here are some commonly asked questions on platform SSO for macOS addressed by Microsoft.
1. Will passwordless sign-in also work for unlocking FileVault? Or will the user still need the password for the initial unlock after a reboot?
Answer: When passwordless is used, unlocking FileVault after a reboot requires the use of a password.
2. Is there a plan to support security keys at some point for Platform SSO?
Answer: Support for security keys is coming and will be supported as part of a public preview on devices running OS14 and above.
3. Will it be possible to use, when we’re using another solution instead of MS Authenticator as MFA?
Answer: Any MFA method recognized by Conditional Access is supported. However, MFA solutions implemented using Custom Controls do not satisfy this requirement.
4. Should we be seeing an alternate login screen at this stage of the preview?
Answer: The login screen on the Mac will look like a standard macOS sign-in screen. If you’ve used the password-sync functionality, you will be able to sign in on the device with your Entra ID password. If you’ve used passwordless, the device password will remain unchanged (and will be needed to unlock FileVault after a reboot); once the device is unlocked, Touch ID (if configured) can be used to both unlock the device and authenticate with Entra ID.
5. Can we bypass the FV2 screen if we opt out of passwordless? Are we taken directly to the desktop if we use a password that’s synced with the IDP?
Answer: Yes, with PSSO password auth, the user is taken directly to the desktop once authenticated with Entra ID at the unlock screen.
Closing Thoughts
Overall, Microsoft’s introduction of Entra ID single sign-on (SSO) and the subsequent release of Platform SSO for macOS mark significant advancements in simplifying user authentication for Mac users. I hope this blog has given an overview of the new improvement brought to the existing Microsoft Enterprise SSO plugin for Apple devices.
Thanks for reading! Feel free to reach us in the comments for any assistance.