Partner Compliance - Google Chrome asking to use Microsoft Workplace Join Key

We are testing enrolling Macs in to Microsoft Partner Compliance to enforce Conditional Access policy. For the most part, the process is smooth to enroll and we have not seen too many issues.

However the one issue, that will be a user concern, is when a user goes to a Microsoft site (like Outlook on the web), they are prompted by macOS to allow Google Chrome to use the Microsoft Workplace Join Key from the Keychain.

Edge and Safari use this key automatically, which makes sense being Apple & Microsoft. I tried adding com.google. to my SSO extension, like i have for Apple, Microsoft, and Jamf, but that doesn't seem to work. (See Below)

Is there anyway that I can automatically allow Chrome to use this WJK?

<?xml version="1.0" encoding="UTF-8"?>

<plist version="1.0">

<dict>

    <key>AppPrefixAllowList</key>

    <string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.,com.google.</string>

    <key>browser_sso_interaction_enabled</key>

    <integer>1</integer>

    <key>disable_explicit_app_prompt</key>

    <integer>1</integer>

</dict>

</plist>

Page 1 / 1

@Tribruin Try adding this to your com.google.Chrome configuration settings:

    <key>AutoSelectCertificateForUrls</key>

	<array>

		<string>{"pattern":"https://device.login.microsoftonline.com","filter":{"ISSUER":{"CN":"MS-Organization-Access"}}}</string>

		<string>{"pattern":"https://enterpriseregistration.windows.net","filter":{"ISSUER":{"CN":"MS-Organization-Access"}}}</string>

	</array>

Sorry, I should have mentioned that I have profile deployed and that fixes the user being required to select the certificate, but they still have to allow Chrome to accept it.

For Chrome, you will need to install the Microsoft Single Sign on Extension.

https://chromewebstore.google.com/detail/microsoft-single-sign-on/ppnbnpeolgkicgegkbkbjmhlideopiji?hl=en

It works pretty well but every so often we see a cached site that asks to select the cert. Usually clearing the cache resolves the issue.

Sorry, I should have mentioned that I have profile deployed and that fixes the user being required to select the certificate, but they still have to allow Chrome to accept it.

Are they getting a prompt that says Chrome is asking permission to export it and asking for the login keychain password? If so that's going to require the user responding with their login password and clicking Always Allow.

The upcoming Google Chrome 134 version by default supports this, We don't need to install the SSO Extension.

That is what I understod as well, but I am still getting the prompt to use the WJK when attempting to access Microsoft resources via Chrome with v134. How are you configuring this?

Maybe they pushed to v135 from their release notes...

https://support.google.com/chrome/a/answer/7679408?sjid=6152935147853255882-NA#top

Upcoming Chrome Enterprise Core changes

Apple Extensible SSO support for Chrome on macOS

Chrome 135 on macOS will enable seamless authentication for identity providers that are enabled via an OS-configured Enterprise Single Sign On (SSO) extension. For this initial release, it will allow end users on managed browsers to sign in to any Microsoft Entra-authenticated resources without the need to enter any credentials. Extensible SSO needs to be pre-configured in your environment and deployed with its respective enterprise device management solution. Additional identity providers might be supported in the near future.

As early as Chrome 135 on macOS

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded