Integrate macOS Platform Single Sign-On (PSSO) into your Mobile Device Management (MDM) solution

Platform Single Sign-On (PSSO) for macOS devices is a feature that allows users to sign in to macOS devices using their Microsoft Entra credentials. This feature provides a seamless sign-in experience for users and helps organizations manage access to resources on macOS devices.

In this guide, you learn how to integrate macOS Platform Single Sign-On (PSSO) into your MDM solution. This guide is intended for developers of third party MDM solutions who want to support PSSO for macOS devices.

Prerequisites

Before getting started, we recommend that you familiarize yourself with the following articles:

Minimum required payload properties

The following settings and payload properties are required for use with the Microsoft Enterprise Single Sign-On (SSO) plug-in for Apple devices. Ensure these settings are configured with the following values and add other settings as required to ensure proper SSO for your apps.

Setting Value(s)
Extension identifier com.microsoft.CompanyPortalMac.ssoextension
Team identifier UBF8T346G9
Authentication Method (Deprecated) [Required for OS13 devices] One of... Password
UserSecureEnclaveKey
Authentication method (OS14+ devices) One of... Password
UserSecureEnclaveKey
Smartcard (macOS 14+)
Screen Locked Behavior Do Not Handle
Type Redirect
URLs Supply the following URLs
https://login.microsoftonline.com
https://login.microsoft.com
https://sts.windows.net
https://login.partner.microsoftonline.cn
https://login.chinacloudapi.cn
https://login.microsoftonline.us
https://login-us.microsoftonline.com
Use Shared Device Keys Enable "Use Shared Device Keys" for the best PSSO experience and to avoid unnecessary re-registration experiences if enabled later.

Event notifications

You may need to perform other actions upon completion of various PSSO events depending on the event's status. The following list contains notifications posted by the Entra ID SSO extension for various PSSO events. MDMs can choose to listen to these notifications and perform appropriate actions.

Events

Consider using these events to record telemetry or monitoring for errors or success cases. Once Device & User registration have completed, you should mark the device compliant via the compliance API service.

Notification Name Trigger
Microsoft.PlatformSSO.DeviceRegistration.Started Device registration started
Microsoft.PlatformSSO.DeviceRegistration.Succeeded Device registration finished
Microsoft.PlatformSSO.DeviceRegistration.Failed Device registration failed
Microsoft.PlatformSSO.UserRegistration.Started User registration started
Microsoft.PlatformSSO.UserRegistration.Succeeded User registration finished
Microsoft.PlatformSSO.UserRegistration.Failed User registration failed
Microsoft.PlatformSSO.Registration.Succeeded Both device and user registration finished
Microsoft.PlatformSSO.Registration.Failed Either device or user registration failed
Microsoft.PlatformSSO.Registration.Removed Platform SSO registration removed