@rabbitt - I'm going to go ahead and get this out of the way - We still AD Bind.   (hangs head in shame).

But, I've been looking to convince management to get away from this for a while.  After JNUC and hearing your session (awesome session BTW), management decided to get some Jamf Connect licenses and start looking at PSSOe.  The problem I'm running into is that we seem dead set on not allowing just anyone the capability to register in Entra.  We have it restricted to a small group of employees.  That means I'll have to touch every single machine.
Do you have any advice on how I can accomplish this easily or how to convince management to open it up?  Their concern is that we've had a bunch of personal devices register in our tenant and this was presented as the way to stop that.

Thanks!

Check your Entra Conditional Access policies around session duration.  Also this is one where getting MS support in is 1000% the right answer.  You're paying them for the service, so... :) 

With PSSO in Secure Enclave key authentication mode, the workspace join certificates are removed from the user's keychain and stored instead in the Secure Enclave of the device.  This effectively makes the key non-exportable and hardware bound.  The workspace join key should not be relied on for things like network access.

If you're using PSSO with Microsoft in Secure Enclave key authentication mode, there should be no MS-Organization-Access certificate in the user keychain at all, so I'm confused by the question.

I think you less have an issue with registering devices in Entra as much as registering personal devices into Jamf Pro.  The PSSO payload needs to come down from an MDM here to work, so we know the device would be enrolled in Pro.  Perhaps limit registration of devices to only those coming through Apple Business Manager?  Perhaps add in the (in private beta preview, so talk to your Jamf AE) Network Relay with an ACME certificate new to Jamf Connect ZTNA.  That would give you a machine authenticity attestation from Apple with the ACME cert to prevent serial number spoofing.

I'm not sure I exactly follow.  We have zero Jamf Cloud BYOD, so that's not an issue.  Everything is ASM and PreStage.  However, we have so many personal devices showing up in Entra that management is pulling everything back to try to stop devices from registering with our tenant.

Running into the same limitation as you-- there doesn't seem to be a way to automate registering these devices using Jamf, so to register them, the user has to have permission to join devices to Entra-- which includes personal windows devices, which don't need anything pushed from an MDM to join. If you find a solution to this I'll be curious to know as our org is in the same boat right now. 

@rabbitt , thanks for posting this very helpful information.
We are facing some similar inconsistencies with our test deployment of PSSOe with password sync on Jamf Pro Cloud Version11.10.1-t1728656858, using Company Portal Version: 5.2409.1 (53.2409926.002) and a signed config profile created in iMazing. We were experiencing some issues with the profile created in the Jamf UI, the session duration key value was being manipulated so, we went to a signed profile and didn't set that value, taking the default. We've still been experiencing what I would call a "drift" where, initially, things seem to work fine. After logging in, SSO works and the tokens are read, website and apps seamlessly connect as expected. Then after a few days or so, it may start with Teams displaying a banner that you need to sign in. Other sites that were previously, silently passing the SSO token, were prompting for login credentials and MFA. Our testing with SecureEnclave was must smoother but, due to our environment and culture at the time we have to start with password sync. I've tried to capture some logs using unified logging and some predicates but, I'm not sure what's "normal noise" or what's actually an error. Additionally, a line in the output of the app-sso platform -s command has been getting my attention but, I'm not sure if it's actually an error or if it's just describing what would be output in the event of that type of error. Under the "Login Configuration" section there is a key-value pair with the following:

"invalidCredentialPredicate" : "error = 'invalid_grant' AND suberror != 'device_authentication_failed'",

1. Any thoughts on the "drift" for Microsoft applications and sites that were previously taking SSO tokens prompting for credentials? (I saw your response to "wlumley" and we'll be checking with our Identity & Access folks regarding a conditional access policy if it exists or not.

2. Do you know of any good log predicates that may be of value to stream or look up when troubleshooting PSSOe w/ password sync?

3. Have you heard of or had any experiences with the Jamf UI when creating config profiles changing some values of the keys?

I think this particular one should have the wording changed and that might fix the issue since the key takes seconds but, the interface uses

resulted in:

So, the value entered in the UI was multiplied by 3600. The UI should say to enter the number of hours but, we got an error when entering "1". After this we didn't populate that key but, it still did not affect the issues we've been experiencing.

Forgot to post:
Here's what our current config looks like on the device:

Also, replace "session duration key" with "login frequency" woops.

Also observed the banner for Teams asking to sign in again. Saw earlier this week, but not today. Maybe an update or something came out for Teams.

¯\\_(ツ)_/¯ I had been trying to find a log from Teams that even displayed the banner's text with a timestamp, to attempt to correlate it with some other events but, I was unsuccessful.

We've decided to switch to SecureEnclave. During my journey down the rabbit hole of Platform SSO logs I came up with a few variations on a predicate that gave some insight into the problem.

Silent token refresh attempt results
log show --style compact --predicate '(subsystem contains [c] "AppSSO Extensi" or subsystem contains [c] "com.microsoft.ssoextension" or subsystem = "com.apple.AppSSO") and (eventMessage contains "_finishAuthorization:withCompletion:" or eventMessage contains "authorization:didCompleteWithError:")' --debug --info

You can play with variations on this predicate to see some interesting things. The subsystems listed were the ones I found mostly related to SSO. I also looked at keychain and device unlock logs with variations on this predicate. I was able to compare my experience on an Intune managed device running password sync vs our Jamf managed devices. The Jamf implementation at this time seems to have some bugs around the silent refresh. Not surprisingly, the Intune implementation for both password sync and SecureEnclave were both smooth.

The above predicate only showed successful results on my Intune managed device.

when we tried to use smart card method we are getting below error but we are trying to use Yubikey as smart card, why it is not detecting.

@rabbitt I followed the steps in this article to get PSSO working with the device compliance integration with Azure. Everything goes smoothly, but after registering the device with Azure I do not see the compliant attribute update in Azure.  When I run the gatherAADInfo command I receive a message that states No Azure tenant setup.  When I check the com.jamfsoftware.jamf.plist file I can see no Azure info is present.  At the recommendation of another user on JamfNation I ran sudo jamf manage.  Once I did this all the Azure info populated in the Jamf preference file. I then ran the gatherAADInfo command again and it ran properly and sent the compliance info to Azure. I thought this may have been a fluke so I setup another device and experienced the same results.  It appears I can only get device compliance to work by manually running sudo jamf manage and gatherAADInfo. My workflow to setup a test device is as follows:

1. Install macOS and all applicable apps on a new device, including Company Portal v5.24.09.1


2. The device is enrolled in Jamf using a Prestage (Jamf Pro v11.10.2)


3. Once enrolled all profiles are installed including the PSSO profile, using Secure Enclave as the authentication  method


4. I login to the device as the test user.  FileVault is enabled and proceeds to the Desktop where I receive a notification to register the device with Azure


5. I complete the steps to register with Azure. Once complete I verify PSSO is enabled by checking System Settings > Users & Groups. Registration and Tokens are both good and the Mac SSO Extension reports as registered.


6. After waiting a while to see if device compliance is reported to Azure I check the Jamf preference file and see no Azure Info.


7. I manually run sudo jamf manage and gatherAADInfo


8. Device compliance is reported

Am I missing a step in my workflow to make device compliance work on its own?

Has anyone come across the macOS notification ignoring the Display Account Name value?

I have PlatformSSO working and can register fine but only Teams, OneDrive and Edge seem to work with the SSO. Outlook, word etc all need manual log in still. Am I missing something in the setup?

Awesome! Thought I had missed something so glad to hear I wasn't going mad! Thanks!

PSSO configuration profile is working but I have not has sucess in using the 

At this time, keys that are not explicitly called out to be set in the configuration profile are not supported by Microsoft.  For privilege access management, I would highly recommend using a tool like Jamf Connect or the SAP-Enterprise-Privileges app.

Oh,  I'm not able to deploy this if I can not restrict workstation logins to departmantal group members.  Giving the entire University access to to our devises is not a risk we can accept.  I will re-address the posibility of Purchasing Jamf Connect but I'm guessing we will be stuck with binding to AD untill microsoft updates the Company portal to address these keys.

We are testing the PSSO with the Secure Enclave method.

When setting the Account Authorization Type as Standard in the PSSO configuration, we've observed that post-registration, Mac local user accounts with Admin access are downgraded to Standard user accounts.

Conversely, when utilizing Account Authorization Type as Admin in the PSSO configuration, we've noted that post-registration, Mac local user accounts with Standard access are elevated to Admin accounts.

wherein user accounts are not inadvertently changed from Admin to Standard or vice versa. any hints on this?

I'm still just testing for now, but so far, this seems to work well for us. We are using the password option. We want to synchronize the Mac local login password with Microsoft Entra ID. Does anyone know if users receive an alert when their password is nearing expiration? Our current in production SSO extension does this and there's an option from the menubar to change the password. For this solutiong using the Company Portal app, there is no menubar app.

Do people receive an alert: Nope.  In fact, it is possible a user may need to change their password if expired on a second device before getting into the Mac.  If you're enforcing passwords and there's a network connection, you could lock users out of their Macs in all new and interesting ways.  (I'd recommend not deploying the password sync without a grace period config on Sequoia.)

Your prod option is grabbing the password expiration from the domain controller via a Kerberos ticket.  Depending on your IDPs configuration, it could be cloud based (IDP knows when the password would expire, but there's no part of the OIDC spec to pass that info to the client device), or it could be mastered by another IDP or an on-premises AD.  In that case, the cloud IDP has no idea when the password expires and can't pass the info along.

feedbackassistant.apple.com will be your friend here. :)