Company portal 5.2401.2 wit PSSO support

Even deactivating it, it is populating users.

Do I need to do anything else?

I have spent a few hours diagnosing this issue. Our organization is using SSOe to handle passing the PRT token around to our SSO applications in Entra/Azure. My mistake that I didn't keep up with the news that the SSOp would be turned on automatically with the CP deployed. 

I deactivated the SSOp from the config profile, this is causing the banner to stay and cause a never ending login loop AFTER the SSOp is deactivated from the same config profile. 

Running the command app-sso platform -s you can see the output of signing into the banner. When running the command after every sign in attempt on the looping banner. You can see that the output of the command never changes from "POUserStateNeedsRegistration (2)" to "POUserStateNormal"

If you want to tail what the Company Portal app is doing in real time.

"tail -F ~/Library/Containers/com.microsoft.CompanyPortalMac.ssoextension/Data/Library/Caches/Logs/Microsoft/SSOExtension/*" 

Doing what n_leechi suggested of removing the entire profile and adding it back is solving the loop issue even though its removed. What I havent tested is how its affecting people who signed in different ways.

Also do not disable the device in Entra. It will prevent the users from using any products that use the IDP. Deleting seems to be the better solution. 

Based on my testing with different environments and assistance from Jamf support, here is what I learned:

Problem
On Macs with Company Portal 5.24+ and PSSO enabled, users are prompted to register in Entra ID.

How to turn off the registration notification:

1. Remove the SSOe profile.
2. Disable PSSO in the SSO Extension profile.
3. Reinstall the SSOe profile without PSSO.

Manage device compliance registration (3 different scenarios):
1. If the end user entered his credentials in the PSSO window, he probably lost the WPJ key and needs to re-register for device compliance.

2. If the end user attempted to register before the PSSO settings were removed and the WPJ key is still present, they will need to manually delete the WPJ key, delete multiple records in Entra ID, and then register again.

3. If the end user has not attempted to re-register with PSSO, he only needs to try logging into a managed application after restarting the Mac. Perhaps he needs to re-register with device compliance.

This is not official information and may not cover all scenarios, but is just information based on my experience in these few days after the Company Portal upgrade.

Hey, this link no longer exists. Any ideas where this has gone? Thanks

@ath3rs Try this:  https://www.jamf.com/blog/entra-id-platform-sso-device-compliance/

Updated link.  Thank you.  

We've followed the blog but are now faced with users devices appearing fine but are not passing their device info through to conditional access so are getting blocked.  The only way to fix this appears to be a complete cleanup of workplace join and re-registration.  Is anyone else having this issue?

@Rolden Here is what we are doing:

1. Make sure user is off any VPN connections
2. Make sure user has no updates pending as Profiles will not install if they are
3. Delete Entra Joined object out of Entra
4. Re-register Intune Integration
5. Remove from SSO profile without signing out of Company Portal
6. Repush the SSO profile
7. Then sign out of company portal SSO and signed back in

This removes any Entra objects, registration creates a new Entra object and by removing/adding SSO profile, it refreshes Company Portal.

JAMF and Microsoft have fixed most of the bugs and the Secure Enclave is successful now The best part is Google Chrome works with passwordless authentication.  we still recommend on test devices only.