Skip to content

configure-enterprise-sso-plugin-macos.md

Latest commit

 

History

History
243 lines (153 loc) · 15.5 KB

configure-enterprise-sso-plugin-macos.md

File metadata and controls

243 lines (153 loc) · 15.5 KB
title Configure macOS Enterprise SSO app extension with MDMs
description Learn more about the Microsoft Enterprise single sign-on (SSO) app extension plug-in. Add or create an macOS device profile using the SSO app extension in Microsoft Intune, Jamf Pro, and other MDM solution providers.
ms.date 05/01/2024
ms.topic how-to
ms.reviewer miepping, tbc, alessanc
ms.collection
M365-identity-device-management

Use the Microsoft Enterprise SSO plug-in on macOS devices

[!INCLUDE Apple SSO Boilerplate]

This feature applies to:

On macOS devices, you can configure SSO app extension settings in two places in Intune:

  • Device features template (this article) - This option configures only the SSO app extension and uses your MDM provider, like Intune, to deploy the settings to devices.

    Use this article if you only want to configure the SSO app extension settings and don't want to also configure Platform SSO.

  • Settings Catalog - This option configures Platform SSO and the SSO app extension together. You use Intune to deploy the settings to your devices.

    Use the settings catalog settings if you want to configure both the Platform SSO and SSO app extension settings. For more information, go to Configure platform SSO for macOS devices in Microsoft Intune.

For an overview of your SSO options on Apple devices, go to SSO overview and options for Apple devices in Microsoft Intune.

This article shows how to create an SSO app extension configuration policy for macOS Apple devices with Intune, Jamf Pro, and other MDM solutions.

If you want to configure Platform SSO and SSO app extension settings together, then go to Configure platform SSO for macOS devices in Microsoft Intune.

App support

[!INCLUDE Apple SSO app support]

Prerequisites

To use the Microsoft Enterprise SSO plug-in on macOS devices:

Intune

  • The device is MDM managed by Intune.
  • The device must support the plug-in:
    • macOS 10.15 and newer
  • The Microsoft Company Portal app must be installed and configured on the device.
  • The Enterprise SSO plug-in requirements are configured, including the Apple network configuration URLs.

Jamf Pro

  • The device is managed by Jamf Pro.

  • The device must support the plug-in:

    • macOS 10.15 and newer

  • The Microsoft Company Portal app must be installed on the device.

    Users can install the Company Portal app manually. Or, admins can deploy the app using Jamf Pro. For a list of options on how to install the Company Portal app, go to Package Management - Adding a Package to Jamf Admin (opens Jamf Pro's web site).

    [!NOTE] On macOS devices, Apple requires the Company Portal app be installed. Users don't need to use or configure the Company Portal app, it just needs to be installed on the device.

  • The Enterprise SSO plug-in requirements are configured, including the Apple network configuration URLs.

Other MDMs

  • The device is managed by a mobile device management (MDM) provider solution.

  • The MDM solution must support configuring the Single Sign-on MDM payload settings for Apple devices (opens Apple's web site) with a device policy.

  • The device must support the plug-in:

    • macOS 10.15 and newer

  • The Microsoft Company Portal app must be installed on the device.

    Users can install the Company Portal app manually. Or, admins can deploy the app using an MDM policy. You can download the Company Portal app installer package.

    [!NOTE] On macOS devices, Apple requires the Company Portal app be installed. Users don't need to use or configure the Company Portal app, it just needs to be installed on the device.

  • The Enterprise SSO plug-in requirements are configured, including the Apple network configuration URLs.

[!INCLUDE Apple Kerberos Extension Boilerplate]

For more information on the SSO app extension, go to SSO overview and options for Apple devices in Microsoft Intune.

Create a single sign-on app extension configuration policy

This section shows how to create an SSO app extension policy. For information on platform SSO, go to Configure platform SSO for macOS devices in Microsoft Intune.

Intune

In the Microsoft Intune admin center, create a device configuration profile. This profile includes the settings to configure the SSO app extension on devices.

  1. Sign in to the Microsoft Intune admin center.

  2. Select Devices > Manage devices > Configuration > Create > New policy.

  3. Enter the following properties:

    • Platform: Select macOS.
    • Profile type: Select Templates > Device features.

  4. Select Create:

    :::image type="content" source="../media/enterprise-sso-plugin/macos-create-device-features.png" alt-text="Screenshot that shows how to create a device features configuration profile for macOS in Intune.":::

  5. In Basics, enter the following properties:

    • Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is macOS-SSO app extension.
    • Description: Enter a description for the policy. This setting is optional, but recommended.

  6. Select Next.

  7. In Configuration settings, select Single sign-on app extension, and configure the following properties:

    • SSO app extension type: Select Microsoft Entra ID:

      :::image type="content" source="../media/enterprise-sso-plugin/macos-device-features-sso-extension-type.png" alt-text="Screenshot that shows the SSO app extension type and Microsoft Entra ID for macOS in Intune":::

    • App bundle ID: Enter a list of bundle IDs for apps that don't support MSAL and are allowed to use SSO. For more information, go to Applications that don't use MSAL.

    • Additional configuration: To customize the end user experience, you can add the following properties. These properties are the default values used by the SSO app extension, but they can be customized for your organization needs:

      [!INCLUDE Apple SSO Recommended Settings Table Boilerplate]

      When you're done configuring the recommended settings, the settings look similar to the following values in your Intune configuration profile:

      :::image type="content" source="../media/enterprise-sso-plugin/macos-sso-extension-additional-configuration.png" alt-text="Screenshot that shows the end user experience configuration options for the Enterprise SSO app extension plug-in on macOS devices in Microsoft Intune.":::

  8. Continue creating the profile, and assign the profile to the users or groups that receive these settings. For the specific steps, go to Create the profile.

    For guidance on assigning profiles, go to Assign user and device profiles.

When the policy is ready, you assign the policy to your users. Microsoft recommends you assign the policy when the device enrolls in Intune. But, it can be assigned at any time, including on existing devices. When the device checks in with the Intune service, it receives this profile. For more information, go to Policy refresh intervals.

To check that the profile deployed correctly, in the Intune admin center, go to Devices > Manage devices > Configuration > select the profile you created and generate a report:

:::image type="content" source="../media/enterprise-sso-plugin/macos-enterprise-sso-profile-report.png" alt-text="Screenshot that shows the macOS device configuration profile deployment report in Microsoft Intune.":::

Jamf Pro

In the Jamf Pro portal, you create a Computer configuration profile. This profile includes the settings to configure the SSO app extension on devices.

  1. Sign in to the Jamf Pro portal.

  2. To create a macOS profile, select Computers > Configuration profiles > New:

    :::image type="content" source="../media/enterprise-sso-plugin/jamf-pro-configuration-profiles.png" alt-text="Screenshot that shows the Jamf Pro portal and how to create a configuration profile for macOS devices.":::

  3. In Name, enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is: macOS-Microsoft Enterprise SSO plug-in.

  4. In the Options column, scroll down and select Single Sign-On Extensions > Add:

    :::image type="content" source="../media/enterprise-sso-plugin/sso-extension-creation.png" alt-text="Screenshot that shows the Jamf Pro portal. Select the configuration profiles SSO option and select add for macOS devices.":::

  5. Enter the following properties:

    • Payload Type: Select SSO.
    • Extension Identifier: Enter com.microsoft.CompanyPortalMac.ssoextension.
    • Team Identifier: Enter UBF8T346G9.
    • Sign-On Type: Select Redirect.
    • URLs: Enter the following URLs, one at a time:
      • https://login.microsoftonline.com
      • https://login.microsoft.com
      • https://sts.windows.net
      • https://login.partner.microsoftonline.cn
      • https://login.chinacloudapi.cn
      • https://login.microsoftonline.us
      • https://login-us.microsoftonline.com

    :::image type="content" source="../media/enterprise-sso-plugin/sso-extension-basic-settings-1.png" alt-text="Screenshot that shows the Jamf Pro portal and the payload type, extension identifier, team identifier, and SSO type settings for macOS devices.":::

    :::image type="content" source="../media/enterprise-sso-plugin/sso-extension-basic-settings-2.png" alt-text="Screenshot that shows the Jamf Pro portal and the SSO URLs for macOS devices.":::

  6. In Custom Configuration, you define other required properties. Jamf Pro requires that these properties are configured using an uploaded PLIST file. To see the full list of configurable properties, go to Microsoft Enterprise SSO plug-in for Apple devices documentation.

    The following example is a recommended PLIST file that meets the needs of most organizations:

    <?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
    <key>AppPrefixAllowList</key>
    <string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.</string>
    <key>browser_sso_interaction_enabled</key>
    <integer>1</integer>
    <key>disable_explicit_app_prompt</key>
    <integer>1</integer>
</dict>
</plist>

    :::image type="content" source="../media/enterprise-sso-plugin/sso-extension-custom-configuration-plist.png" alt-text="Screenshot that shows a sample custom configuration with a PLIST file for Jamf Pro.":::

    These PLIST settings configure the following SSO Extension options. These properties are the default values used by the SSO app extension, but they can be customized for your organization needs:

    [!INCLUDE Apple SSO Recommended Settings Table Boilerplate]

  7. Select the Scope tab. Enter the computers or devices that should be targeted to receive the SSO Extension MDM profile.

  8. Select Save.

When the device checks in with the Jamf Pro service, it receives this profile.

Tip

If you use Jamf Connect, it is recommended that you follow the latest Jamf guidance on integrating Jamf Connect with Microsoft Entra ID (opens Jamf Pro's web site). The recommended integration pattern ensures that Jamf Connect works properly with your Conditional Access policies and Microsoft Entra ID Protection.

Other MDMs

In the MDM portal, create a device configuration profile. This profile includes the settings to configure the SSO app extension on devices.

  1. Sign in to the MDM portal.

  2. Create a new device configuration profile.

  3. Select an option called Single Sign-On Extensions or SSO extension. The name can vary depending on your MDM service.

  4. Enter the following properties:

    Key Value
    Payload Type SSO
    Extension Identifier com.microsoft.CompanyPortalMac.ssoextension
    Team Identifier UBF8T346G9
    Sign-On Type Redirect
    URLs - https://login.microsoftonline.com
    - https://login.microsoft.com
    - https://sts.windows.net
    - https://login.partner.microsoftonline.cn
    - https://login.chinacloudapi.cn
    - https://login.microsoftonline.us
    - https://login-us.microsoftonline.com

  5. Optionally, you can configure other properties. These properties are the default values used by the SSO app extension, but they can be customized for your organization needs:

    [!INCLUDE Apple SSO Recommended Settings Table Boilerplate]

  6. Assign the new policy to the devices that should be targeted to receive the SSO Extension MDM profile.

When the device checks in with the MDM service, it receives this profile.

[!INCLUDE Apple iOS End User Experience Boilerplate]

Tip

Learn more about how the SSO plug-in works and how to troubleshoot the Microsoft Enterprise SSO Extension with the SSO troubleshooting guide for Apple devices.

Related articles