Skip to main content
Question

MacOS 14.1 breaks Microsoft SSO Extension

  • November 2, 2023
  • 3 replies
  • 72 views
D
Forum|alt.badge.img+4

Hi JamfNation,

since the update to macOS 14.1 the Microsoft SSO Extension does not work anymore. Machines with up to 14.0 are doing fine, but 14.1 just breaks it. It doesn’t work anymore in Self Service, in Safari, in the Office Apps (here it goes so far as displaying an error when for example connect to a Data-File, lying on a sharepoint, we had to deactivate the SSO Config Profile there), it seems to be completely broken.

The same goes for iOS / iPadOS 17.1. Did I overlook something I have to adjust with the updates? Is anyone to reproduce this? Is it a bug?

Thankful for any input.

 

Regards

Daniel

    3 replies

    easyedc
    Forum|alt.badge.img+16
    • easyedc
    • Esteemed Contributor
    • November 7, 2023

    I had been having similar problems and went looking through Microsoft's documentation. I noticed that the recommended profile settings here - Use the Microsoft Enterprise SSO plug-in on iOS/iPadOS devices - had at one point been updated.  When I built the profile for SSO it indicated using explicit bundle ID's but this doc indicates using partial strings, which seems to resolve as a wild card.  Creating a clone SSO config profile and changing the contents of the plist to wild cards seem to have done the trick for me and SSO. Looking to do additional testing, but give it a try on your end. 

    <?xml version="1.0" encoding="UTF-8"?> <plist version="1.0"> <dict> <key>AppPrefixAllowList</key> <string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.</string> <key>browser_sso_interaction_enabled</key> <integer>1</integer> <key>disable_explicit_app_prompt</key> <integer>1</integer> </dict> </plist>

     We're a Zscaler shop and SSO broke in Zscaler when Sonoma came out, but changing it to just com.zscaler. seems to have fixed that for me as well. 

    com.zscaler.

     

    D
    Forum|alt.badge.img+4
    • daniel_blohm
    • Author
    • New Contributor
    • November 7, 2023

    I had been having similar problems and went looking through Microsoft's documentation. I noticed that the recommended profile settings here - Use the Microsoft Enterprise SSO plug-in on iOS/iPadOS devices - had at one point been updated.  When I built the profile for SSO it indicated using explicit bundle ID's but this doc indicates using partial strings, which seems to resolve as a wild card.  Creating a clone SSO config profile and changing the contents of the plist to wild cards seem to have done the trick for me and SSO. Looking to do additional testing, but give it a try on your end. 

    <?xml version="1.0" encoding="UTF-8"?> <plist version="1.0"> <dict> <key>AppPrefixAllowList</key> <string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.</string> <key>browser_sso_interaction_enabled</key> <integer>1</integer> <key>disable_explicit_app_prompt</key> <integer>1</integer> </dict> </plist>

     We're a Zscaler shop and SSO broke in Zscaler when Sonoma came out, but changing it to just com.zscaler. seems to have fixed that for me as well. 

    com.zscaler.

     


    My PLIST looks exactly like this. But still, no SSO possible. I did some more testing and it is completely traceable to 14.1. With 14.0 it works like a charm and after the update to 14.1 it doesn't. Company Portal is the most recent version.

    markdmatthews
    Forum|alt.badge.img+17

    My PLIST looks exactly like this. But still, no SSO possible. I did some more testing and it is completely traceable to 14.1. With 14.0 it works like a charm and after the update to 14.1 it doesn't. Company Portal is the most recent version.


    Please see under AppAllowList ... Zscaler did change the Identifier Name... example of mine below
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>AppPrefixAllowList</key>
        <string>com.zscaler.</string>
        <key>AppAllowList</key>
        <string>com.zscaler.Zscaler,com.zscaler.zscaler</string>
        <key>browser_sso_interaction_enabled</key>
        <integer>1</integer>
    <key>Enable_SSO_On_All_ManagedApps</key>
        <integer>1</integer>
        <key>disable_explicit_app_prompt</key>
        <integer>1</integer>
    </dict>
    </plist>
    Terms & ConditionsCookie settingsAccessibility statement