Merge pull request #7087 from MandiOhlinger/ado13906925

v-dihans · web-flow · commit 95f2ea700668 · 2022-03-23T09:24:15.000-06:00
ADO 13906925: Added article to TOC; minor edits; acrolinx
diff --git a/memdocs/intune/configuration/toc.yml b/memdocs/intune/configuration/toc.yml
@@ -85,6 +85,8 @@ items:
       displayName: airprint, home screen, lock screen, sso, single sign-on
     - name: Use Enterprise SSO plug-in
       href: use-enterprise-sso-plug-in-ios-ipados-macos.md
+    - name: Use Enterprise SSO plug-in in Jamf Pro
+      href: use-enterprise-sso-plug-in-ios-ipados-macos-with-jamf-pro.md
   - name: Extensions on macOS
     href: kernel-extensions-overview-macos.md
     displayName: kernel extensions, system extensions
diff --git a/memdocs/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-macos-with-jamf-pro.md b/memdocs/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-macos-with-jamf-pro.md
@@ -2,12 +2,12 @@
 # required metadata
 
 title: Microsoft Enterprise SSO plug-in in Jamf Pro
-description: Add or create a macOS device profile using the Microsoft Enterprise SSO plug-in in Jamf Pro.
+description: Add or create a macOS device profile using the Microsoft Enterprise SSO plug-in in Jamf Pro and Microsoft Intune.
 keywords:
-author: mepples21
+author: MandiOhlinger
 ms.author: miepping
 manager: 
-ms.date: 03/9/2022
+ms.date: 03/22/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -19,7 +19,7 @@ ms.technology:
 #ROBOTS:
 #audience:
 
-ms.reviewer: beflamm
+ms.reviewer: beflamm, miepping
 ms.suite: ems
 search.appverid: MET150
 #ms.tgt_pltfrm:
@@ -29,11 +29,11 @@ ms.collection: M365-identity-device-management
 
 # Use the Microsoft Enterprise SSO plug-in on iOS/iPadOS and macOS devices in Jamf Pro
 
-The Microsoft Enterprise SSO plug-in (preview) provides single sign-on (SSO) to apps and websites that use Microsoft Azure Active Directory (AAD) for authentication, including Microsoft 365. This plug-in uses the Apple single sign on app extension framework. It reduces the number of authentication prompts users get when using devices managed by Mobile Device Management (MDM), including Jamf Pro.
+The Microsoft Enterprise SSO plug-in (preview) provides single sign-on (SSO) to apps and websites that use Microsoft Azure Active Directory (Azure AD) for authentication, including Microsoft 365. This plug-in uses the Apple single sign-on app extension framework. It reduces the number of authentication prompts users get when using devices managed by Mobile Device Management (MDM), including Jamf Pro.
 
 Once set up, apps that support the Microsoft Authentication Library (MSAL) automatically take advantage of the Microsoft Enterprise SSO plug-in (preview). Apps that don't support MSAL can be allowed to use the extension. Just add the application bundle ID or prefix to the extension configuration.  
 
-For example, to allow a Microsoft app that doesn't support MSAL, add `com.microsoft.` to the **AppPrefixAllowList** property. Be careful with the apps you allow, they will be able to bypass interactive login prompts for the signed in user.
+For example, to allow a Microsoft app that doesn't support MSAL, add `com.microsoft.` to the **AppPrefixAllowList** property. Be careful with the apps you allow. They can bypass interactive sign-in prompts for the signed in user.
 
 For more information, see [Microsoft Enterprise SSO plug-in for Apple devices - apps that don't use MSAL](/azure/active-directory/develop/apple-sso-plugin#applications-that-dont-use-msal).  
 
@@ -45,7 +45,10 @@ This feature applies to:
 This article shows how to deploy the Microsoft Enterprise SSO plug-in (preview) for Apple Devices with Jamf Pro.
 
 > [!IMPORTANT]
-> The Microsoft Enterprise SSO plug-in for Apple Devices is in public preview. This preview version is provided without a service level agreement (SLA). It's not recommended to use in production. Certain features might not be supported or might have restricted behavior. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+> The Microsoft Enterprise SSO plug-in for Apple Devices is in public preview. This preview version is provided without a service level agreement (SLA). It's not recommended to use in production. Certain features might not be supported or might have restricted behavior. For more information, see:
+>
+> - [Public preview in Microsoft Intune](../fundamentals/public-preview.md)
+> - [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)
 
 ## Prerequisites
 
@@ -65,7 +68,9 @@ To use the Microsoft Enterprise SSO plug-in for Apple devices:
   The Company Portal app can be installed manually by users, or by deploying the app through Jamf Pro. For a list of options on how to install the Company Portal app, see [Jamf Pro's documentation](https://docs.jamf.com/10.24.1/jamf-pro/administrator-guide/Managing_macOS_Installers.html).
 
 > [!NOTE]
-> On Apple devices, Apple requires that the SSO app extension and the app (Authenticator or Company Portal) be installed. Users don't need to use the Authenticator or Company Portal apps; they just need to be installed on the device. **[Jamf Pro and Intune integration for device compliance](../protect/conditional-access-integrate-jamf.md) is not required to use the SSO app extension.**
+> On Apple devices, Apple requires that the SSO app extension and the app (Authenticator or Company Portal) be installed. Users don't need to use the Authenticator or Company Portal apps. The app just need to be installed on the device. 
+>
+> **[Jamf Pro and Intune integration for device compliance](../protect/conditional-access-integrate-jamf.md) is not required to use the SSO app extension.**
 
 ## Microsoft Enterprise SSO plug-in vs. Kerberos SSO extension
 
@@ -90,40 +95,42 @@ For more information on the single sign-on extension, see [Single sign-on app ex
 In the Jamf Pro portal, you create a Computer or Device configuration profile. This profile includes the settings to configure the SSO app extension on devices.
 
 1. Sign in to the Jamf Pro portal.
-2. Select **Computers** > **Configuration profiles** > **New** to create a macOS profile or select **Devices** > **Configuration profiles** > **New** to create an iOS/iPadOS profile.
+2. To create a macOS profile, select **Computers** > **Configuration profiles** > **New**. To create an iOS/iPadOS profile, select **Devices** > **Configuration profiles** > **New**.
 
-    :::image type="content" source="media/use-enterprise-sso-plug-in-ios-ipados-macos-with-jamf-pro/jamf-pro-configuration-profiles.png" alt-text="Navigation to Jamf Pro portal configuration profiles for macOS":::
+    :::image type="content" source="media/use-enterprise-sso-plug-in-ios-ipados-macos-with-jamf-pro/jamf-pro-configuration-profiles.png" alt-text="In the Jamf Pro portal, create a configuration profile for macOS devices.":::
 
-3. Scroll down in the Options column and select **Single Sign-On Extensions** > **Add**.
+3. In the **Options** column, scroll down and select **Single Sign-On Extensions** > **Add**.
 
-    :::image type="content" source="media/use-enterprise-sso-plug-in-ios-ipados-macos-with-jamf-pro/sso-extension-creation.png" alt-text="Select configuration profiles SSO option and click add":::
+    :::image type="content" source="media/use-enterprise-sso-plug-in-ios-ipados-macos-with-jamf-pro/sso-extension-creation.png" alt-text="In the Jamf Pro portal, select the configuration profiles SSO option, and select add.":::
 
 4. Enter the following properties:
 
     - **Payload Type**: SSO
     - **Extension Identifier**:
-        - **macOS**: com.microsoft.CompanyPortalMac.ssoextension
-        - **iOS/iPadOS**: com.microsoft.azureauthenticator.ssoextension
+      - **macOS**: com.microsoft.CompanyPortalMac.ssoextension
+      - **iOS/iPadOS**: com.microsoft.azureauthenticator.ssoextension
     - **Team Identifier**:
-        - **macOS**: UBF8T346G9
-        - **iOS/iPadOS**: No value is needed, leave the field blank.
+      - **macOS**: UBF8T346G9
+      - **iOS/iPadOS**: No value is needed, leave the field blank.
     - **Sign-On Type**: Redirect
     - **URLs**:
-        - `https://login.microsoftonline.com`
-        - `https://login.microsoft.com`
-        - `https://sts.windows.net`
-        - `https://login.partner.microsoftonline.cn`
-        - `https://login.chinacloudapi.cn`
-        - `https://login.microsoftonline.de`
-        - `https://login.microsoftonline.us`
-        - `https://login.usgovcloudapi.net`
-        - `https://login-us.microsoftonline.com`
-
-    :::image type="content" source="media/use-enterprise-sso-plug-in-ios-ipados-macos-with-jamf-pro/sso-extension-basic-settings-1.png" alt-text="Basic configuration settings part 1":::
-
-    :::image type="content" source="media/use-enterprise-sso-plug-in-ios-ipados-macos-with-jamf-pro/sso-extension-basic-settings-2.png" alt-text="Basic configuration settings part 2":::
-        
-5. In **Custom Configuration** you will define other required properties. Jamf Pro requires that these properties are configured via an uploaded PLIST file. The full list of configurable properties is covered in the [Azure AD Apple SSO Extension documentation](/azure/active-directory/develop/apple-sso-plugin#manual-configuration-for-other-mdm-services). This is a recommended PLIST file that will meet the needs of most organizations:
+      - `https://login.microsoftonline.com`
+      - `https://login.microsoft.com`
+      - `https://sts.windows.net`
+      - `https://login.partner.microsoftonline.cn`
+      - `https://login.chinacloudapi.cn`
+      - `https://login.microsoftonline.de`
+      - `https://login.microsoftonline.us`
+      - `https://login.usgovcloudapi.net`
+      - `https://login-us.microsoftonline.com`
+
+    :::image type="content" source="media/use-enterprise-sso-plug-in-ios-ipados-macos-with-jamf-pro/sso-extension-basic-settings-1.png" alt-text="In the Jamf Pro portal, see the basic configuration settings part 1.":::
+
+    :::image type="content" source="media/use-enterprise-sso-plug-in-ios-ipados-macos-with-jamf-pro/sso-extension-basic-settings-2.png" alt-text="In the Jamf Pro portal, see the basic configuration settings part 2.":::
+
+5. In **Custom Configuration**, you'll define other required properties. Jamf Pro requires that these properties are configured using an uploaded PLIST file. To see the full list of configurable properties, go to [Azure AD Apple SSO Extension documentation](/azure/active-directory/develop/apple-sso-plugin#manual-configuration-for-other-mdm-services).
+
+    The following example is a recommended PLIST file that meets the needs of most organizations:
 
     ```xml
     <?xml version="1.0" encoding="UTF-8"?>
@@ -140,43 +147,46 @@ In the Jamf Pro portal, you create a Computer or Device configuration profile.
     </plist>
     ```
 
-    :::image type="content" source="media/use-enterprise-sso-plug-in-ios-ipados-macos-with-jamf-pro/sso-extension-custom-configuration-plist.png" alt-text="Custom configuration with PLIST file":::
+    :::image type="content" source="media/use-enterprise-sso-plug-in-ios-ipados-macos-with-jamf-pro/sso-extension-custom-configuration-plist.png" alt-text="See a sample custom configuration with a PLIST file for Jamf Pro.":::
 
     - These PLIST settings configure the following SSO Extension options:
 
-    | Key | Type | Value |
-    | --- | --- | --- |
-    | **AppPrefixAllowList** | String | Enter a list of prefixes for apps that don't support MSAL **and** are allowed to use SSO. For example, enter `com.microsoft.` to allow all Microsoft apps.<br/><br/>Be sure these apps [meet the allowlist requirements](/azure/active-directory/develop/apple-sso-plugin#enable-sso-for-apps-that-dont-use-a-microsoft-identity-platform-library).|
-    | **browser_sso_interaction_enabled** | Integer | When set to `1`, users can sign in from Safari browser, and from apps that don't support MSAL. Enabling this setting allows users to bootstrap the extension from Safari or other apps.|
-    | **disable_explicit_app_prompt** | Integer | Some apps might incorrectly enforce end-user prompts at the protocol layer. If you see this problem, users are prompted to sign in, even though the Microsoft Enterprise SSO plug-in works for other apps. <br/><br/>When set to `1` (one), you reduce these prompts. |
+      | Key | Type | Value |
+      | --- | --- | --- |
+      | **AppPrefixAllowList** | String | Enter a list of prefixes for apps that don't support MSAL **and** are allowed to use SSO. For example, enter `com.microsoft.` to allow all Microsoft apps.<br/><br/>Be sure these apps [meet the allowlist requirements](/azure/active-directory/develop/apple-sso-plugin#enable-sso-for-apps-that-dont-use-a-microsoft-identity-platform-library).|
+      | **browser_sso_interaction_enabled** | Integer | When set to `1`, users can sign in from Safari browser, and from apps that don't support MSAL. Enabling this setting allows users to bootstrap the extension from Safari or other apps.|
+      | **disable_explicit_app_prompt** | Integer | Some apps might incorrectly enforce end-user prompts at the protocol layer. If you see this problem, users are prompted to sign in, even though the Microsoft Enterprise SSO plug-in works for other apps. <br/><br/>When set to `1` (one), you reduce these   prompts. |
 
     > [!TIP]
     > For more information on these properties, and other properties you can configure, see [Microsoft Enterprise SSO plug-in for Apple devices (preview)](/azure/active-directory/develop/apple-sso-plugin#more-configuration-options).
 
-6. Select the **Scope** tab. Specify the computers or devices that should be targeted to receive the SSO Extension MDM profile.
+6. Select the **Scope** tab. Enter the computers or devices that should be targeted to receive the SSO Extension MDM profile.
 7. Select **Save**.
 
-When the device checks in with the Jamf Pro service, it will receive this profile.
+When the device checks in with the Jamf Pro service, it receives this profile.
 
 ## End user experience
 
-:::image type="content" source="./media/use-enterprise-sso-plug-in-ios-ipados-macos/flow-chart-end-user.png" alt-text="End user flow chart when installing SSO app app extension on iOS/iPadOS and macOS devices in Jamf Pro.":::
+:::image type="content" source="./media/use-enterprise-sso-plug-in-ios-ipados-macos/flow-chart-end-user.png" alt-text="End user flow chart when installing SSO app extension on iOS/iPadOS and macOS devices in Jamf Pro.":::
+
+- If you're not deploying the Microsoft Authenticator or Company Portal app using Jamf Pro, then users must install these apps manually.
+
+  Remember:
 
-- If you're not deploying the Microsoft Authenticator or Company Portal app using Jamf Pro, then users must install these apps manually. Remember:
   - On iOS/iPadOS devices, users install the Microsoft Authenticator app.
   - On macOS devices, users install the Company Portal app.
 
-  On Apple devices, Apple requires the SSO app extension and the app (Authenticator or Company Portal) be installed. **Users don't need to use the Authenticator or Company Portal apps; they just need to be installed on the device.**
+  On Apple devices, Apple requires the SSO app extension and the app (Authenticator or Company Portal) be installed. **Users don't need to use the Authenticator or Company Portal apps. The app just need to be installed on the device.**
 
 - Users sign in to any supported app or website to bootstrap the extension. Bootstrap is the process of signing in for the first time, which sets up the extension.  
 
   :::image type="content" source="./media/use-enterprise-sso-plug-in-ios-ipados-macos/user-signs-in.png" alt-text="Users signs in to app or website to bootstrap the SSO app extension on iOS/iPadOS and macOS devices in Jamf Pro.":::
 
 - After users sign in successfully, the extension is automatically used to sign in to any other supported app or website.
 
-On macOS, users are prompted to opt in or out of SSO when they sign in to a work or school app. They can select **Don’t ask me again** to opt out of SSO and block future requests about it.
+On macOS, users are prompted to opt in or out of SSO when they sign in to a work or school app. They can select **Don’t ask me again** to opt out of SSO and block future requests.
 
-Users can also manage their SSO preferences in the Company Portal app for macOS. To edit preferences, send them to the Company Portal menu bar > **Company Portal** > **Preferences** and tell them to select or deselect **Don’t ask me to sign in with single sign-on for this device**.
+Users can also manage their SSO preferences in the Company Portal app for macOS. To edit preferences, go to the Company Portal menu bar > **Company Portal** > **Preferences**. They can select or deselect **Don’t ask me to sign in with single sign-on for this device**.
 
 ## Next steps
 
