Skip to main content

End User Experience

 
Secure Enclave
After the configuration profile for PSSOe and the companion application for PSSOe are installed on the device, macOS will prompt the user to register.  The message can be customized with the configuration profile value of “Display Account Name”.  In this example, the Display Account Name was set to “Jamfse.io Entra ID”.
 

The user is then prompted for their local macOS UNIX account password.  This is used to determine the user is present and actively using the device.

The next step requires the user enter a strong credential like a security key or Passkey enabled on another device.  Other methods also include push with number challenge.

Upon completion, the user is shown instructions to set up the device as a Passkey provider for Microsoft Entra ID.

A user must dismiss the dialog or open system settings and remember the path to get to the setting required: Passwords, enter local user password if prompted, Password Options, Use passwords and passkeys from, and then Enable the Company Portal app.
 

Users can confirm the state of the Secure Enclave backed key by opening System Settings, Users & Groups, and selecting the “i” next to their account.  Platform Single Sign-on status will show the login, method, and the state of device registration and current presence of SSO tokens for use to obtain authorization for further services gated by Entra ID.
Password
After the configuration profile for PSSOe and the companion application for PSSOe are installed on the device, macOS will prompt the user to register their user account to log into their Mac with their identity provider password.  This message cannot be customized.

The user is then informed as to what changes will happen to their user account.  The user is prompted for their local macOS UNIX user account password.  This is used to determine user presence at the device.

The user is then prompted to authenticate to the identity provider.  Customizing the login screen can be done in Entra ID settings.

The user will be prompted to enter their Microsoft Entra ID credentials.  The tenant is described as the value entered in Display Account Name as part of the configuration profile.

In macOS Sonoma, the user is not presented with a confirmation of the completion or success of this registration.  To confirm registration, open the System Settings app and navigate to Users & Groups and select the currently logged in user.

The user is now blocked from changing their local account password.  Registration shows the status of the device registration with Entra ID.  Tokens denotes if there are current SSO tokens cached to use for further logins to applications and cloud resources gated with Microsoft Entra ID login.

Hi Rabbitt,

As per the details i am able to register the device but still have facing the password sync issue.

If i log out or restart and tried to use my Entra Passwords its not allowing me to login. only local password allowed to access the device. if you have any refrence or any suggestion then let me know.

SSO Tokens:

Received:

2025-08-11T14:05:59Z

Expiration:

2025-08-25T14:05:58Z (Not Expired)

 

you have used Secure Enclave , Password Sync will happen only if use Password as authentication type

Hello ​@rabbitt ,

I'm writing to inquire about a Platform SSO issue I've encountered. I've successfully configured PSSO and am able to register devices, however, the login frequency setting in my payload—which is set to 24 hours—does not appear to be enforced.

Do you have any insight into why the login frequency is not being applied as expected?

Terms & ConditionsCookie settingsAccessibility statement