Platform SSO for macOS represents a significant leap forward in managing and authenticating users on Apple devices within corporate environments. This new offering, provided in public preview with Microsoft Entra ID, is designed to streamline the user experience, providing seamless and secure access to device and application resources. By introducing Platform SSO, Microsoft not only enhances device management capabilities but also embraces the shift towards passwordless authentication. This shift is evidenced by the inclusion of methods such as Secure Enclave, which permits users to login without a password, leveraging hardware-bound cryptographic keys for authentication.
Today, Microsoft excited to share that Platform SSO for macOS is now available in public preview with Microsoft Entra ID. This represents an improvement to the Microsoft Enterprise SSO plug-in for Apple devices, enhancing both the ease of use and security for managing Mac devices. Moreover, during the public preview, Platform SSO will support Microsoft Intune and plans to include additional MDM providers.
Microsoft Entra Join for macOS. This feature utilizes the Enterprise SSO plug-in to create a secure, hardware-bound device record in Entra ID. It necessitates an Entra ID organizational account for operation. Furthermore, we're debuting three new authentication methods that promise a more seamless and passwordless user experience, all configurable with MDM and accessible as part of the free Microsoft Entra ID offering.
These methods include passwordless authentication using the Secure Enclave, passwordless sign-in with smart cards, and password synchronization with local accounts. Each method facilitates SSO across apps and devices, enhancing both convenience and security. Updated guides and tutorials for setting up Platform SSO for macOS can be found on Microsoft Learn, guiding through establishment, deployment, usage, and troubleshooting steps.
In the future, further enhancements including additional controls, reporting, audit, and sign-in logging capabilities will be rolled out. Similarly, Microsoft Graph will introduce APIs to configure, query, and manage these capabilities, enhancing the overall user and admin experience. Some features may require a premium Entra ID license.
Platform Single Sign-on (SSO) enables developers to create SSO extensions that integrate into the macOS login interface, facilitating the synchronization of local account credentials with an identity provider (IdP). This synchronization ensures the local account password is automatically updated to match the cloud password, thereby maintaining consistency between the two.
SSO can be activated for applications that do not utilize MSAL (Microsoft Authentication Library) by installing the SSO plug-in. This installation occurs automatically on devices that have either the Authenticator app for iOS/iPadOS or the Intune Company Portal app for macOS, and are MDM-enrolled within your organization.
Apple's framework includes support for two types of SSO Extensions - Redirect and Credential. The Microsoft Enterprise SSO plugin, functioning as a Redirect type, is specifically designed to facilitate authentication processes with Microsoft Entra ID, making it the preferred choice for authentication brokering to Microsoft services.
By employing federated authentication through Apple Business Manager and linking it to Microsoft Entra ID, users can utilize their Microsoft Entra ID credentials, typically their email address and password, as Managed Apple IDs to log in to Apple devices. This integration allows for seamless use of Microsoft Entra ID credentials across Apple environments.
Platform SSO macOS public preview authentication integration security technology