Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Platform Single Sign-On (PSSO) for macOS devices is a feature that allows users to sign in to macOS devices using their Microsoft Entra credentials. This feature provides a seamless sign-in experience for users and helps organizations manage access to resources on macOS devices.
In this guide, you learn how to integrate macOS Platform Single Sign-On (PSSO) into your MDM solution. This guide is intended for developers of third party MDM solutions who want to support PSSO for macOS devices.
Prerequisites
Before getting started, we recommend that you familiarize yourself with the following articles:
- Any documentation you were provided by Intune for Partner Managed Device Compliance Integration APIs
- Microsoft Enterprise Single Sign-On (SSO) plug-in for Apple devices.
- macOS Platform Single Sign-on overview.
Minimum required payload properties
The following settings and payload properties are required for use with the Microsoft Enterprise Single Sign-On (SSO) plug-in for Apple devices. Ensure these settings are configured with the following values and add other settings as required to ensure proper SSO for your apps.
| Setting | Value(s) |
|---|---|
| Extension identifier | com.microsoft.CompanyPortalMac.ssoextension |
| Team identifier | UBF8T346G9 |
| Authentication Method (Deprecated) [Required for OS13 devices] | One of... Password UserSecureEnclaveKey |
| Authentication method (OS14+ devices) | One of... Password UserSecureEnclaveKey Smartcard (macOS 14+) |
| Screen Locked Behavior | Do Not Handle |
| Type | Redirect |
| URLs | Supply the following URLs https://login.microsoftonline.com https://login.microsoft.com https://sts.windows.net https://login.partner.microsoftonline.cn https://login.chinacloudapi.cn https://login.microsoftonline.us https://login-us.microsoftonline.com |
| Use Shared Device Keys | Enable "Use Shared Device Keys" for the best PSSO experience and to avoid unnecessary re-registration experiences if enabled later. |
Event notifications
You may need to perform other actions upon completion of various PSSO events depending on the event's status. The following list contains notifications posted by the Entra ID SSO extension for various PSSO events. MDMs can choose to listen to these notifications and perform appropriate actions.
Events
Consider using these events to record telemetry or monitoring for errors or success cases. Once Device & User registration have completed, you should mark the device compliant via the compliance API service.
| Notification Name | Trigger |
|---|---|
| Microsoft.PlatformSSO.DeviceRegistration.Started | Device registration started |
| Microsoft.PlatformSSO.DeviceRegistration.Succeeded | Device registration finished |
| Microsoft.PlatformSSO.DeviceRegistration.Failed | Device registration failed |
| Microsoft.PlatformSSO.UserRegistration.Started | User registration started |
| Microsoft.PlatformSSO.UserRegistration.Succeeded | User registration finished |
| Microsoft.PlatformSSO.UserRegistration.Failed | User registration failed |
| Microsoft.PlatformSSO.Registration.Succeeded | Both device and user registration finished |
| Microsoft.PlatformSSO.Registration.Failed | Either device or user registration failed |
| Microsoft.PlatformSSO.Registration.Removed | Platform SSO registration removed |