@SMR1 Whoever set that up went overboard. The Kerberos SSO tool should automatically re-generate the TGT when needed. Try disabling that SSO policy and see if was truly required.

When we disable that policy, the SSO doesn't always reconnect. We had some test devices where we removed it, but when users were coming in to the office and connecting to LAN or moving to and from wifi, the SSO wouldn't always connect so we would run the SSO policy from self-service to connect it back.

Are you using Entra ID or on-prem AD? I realized the Single Sign-On Extension config you posted is set to use an SSO payload rather than a Kerberos payload, and the latter is what we're using for on-prem AD.

Entra ID

That explains the difference, and I can't offer any guidance on that yet (it'll be a learning experience for me next year so I'll just grab some 🍿 and add this 🧵 to my watchlist).

I'll update this when I get an answer.

Here is part of the log I shared with Jamf last year and what they said.

On What trigger and frequency this policy is running, it might be the case that this policy keep on executing and doesn't allow other policies to run, Once you restart the device it Kills the JAMF Service

As I mentioned above, the policy runs on a network change. The policy does it's job and reconnects the SSO, but causes an issue with the management framework. When the issue does happen, the only policy that will run is the SSO one.

Thought I would check our sso policy. We have 495 Mac's. Since we've had that policy in place it's ran 544,425 times.