Skip to main content
Question

Using IdP/SSO on Automated Enrollment with Jamf Pro

  • February 16, 2026
  • 4 replies
  • 145 views
KeremDurdabak
Forum|alt.badge.img+1

Hi, I have a scenario where I want to use Entra ID during Automated Enrollment to authenticate end users and ensure Entra ID is the single source of truth for users and groups. I was also wondering whether if it would be possible to automatically create local accounts based on Entra ID.

From what I have read, this is only possible with Jamf Connect. However, I've also heard that Jamf Pro has some IdP/SSO capabilities during enrollment, I'm trying to understand what can actually be achieved using Jamf Pro alone. If anyone with Jamf Pro expertise could clarify, I would greatly appreciate it. Thanks!

4 replies

A
Forum|alt.badge.img+2
  • angelohuang
  • New Contributor
  • March 13, 2026

From what I’ve seen, there isn’t a “Jamf Pro IdP SSO” step you can insert *during* ADE/PreStage itself — the login experience in Setup Assistant is basically governed by Apple’s enrollment flows.

 

If you’re trying to get IdP-backed sign-in at first boot, the two common patterns are:

 

1) Apple Enrollment SSO (Setup Assistant authentication) using Managed Apple IDs (often federated with your IdP). This is the only path that really shows an IdP-style sign-in inside the Apple enrollment flow.

 

2) If you want users authenticating with your IdP *after* enrollment, use something like Jamf Connect (login window) and/or Platform SSO (Entra/Okta) once the device is enrolled and profiles/extensions are installed.

 

If you share which IdP you’re targeting (Entra/Okta/Google/etc), what exact screen you want to appear (Setup Assistant vs login window vs browser SSO), and whether you’re using federated Managed Apple IDs, people can usually point to the right supported path.

A
Forum|alt.badge.img+2
  • angelohuang
  • New Contributor
  • March 13, 2026

One extra reference that helps explain the “post-enrollment” side of the flow (Platform SSO style):

 

Enforcing Azure AD SSO at macOS Login

 

Even if you end up using Apple’s Enrollment SSO in Setup Assistant, this is useful for setting expectations around what’s realistic once the device is enrolled and profiles/extensions are in place.

A
Forum|alt.badge.img+2
  • angelohuang
  • New Contributor
  • March 17, 2026

Yep — the “Jamf Pro only” answer is mostly about *what screen* you’re trying to change.

 

- **During Setup Assistant / Automated Enrollment:** your levers are basically Apple’s enrollment flow + (optionally) Enrollment SSO with federated Managed Apple IDs.

- **At the macOS login window / ongoing identity:** that’s where you typically need **Jamf Connect** *or* **Platform SSO** (macOS-native) if your goal is “Entra is the source of truth” + local account provisioning/password sync.

 

If you want to explore the Platform SSO route (Entra-backed auth once the Mac is enrolled and profiles/extensions are installed), this is a decent overview of the prerequisites + what it can/can’t do: Apple Platform SSO Policy

A
Forum|alt.badge.img+2
  • angelohuang
  • New Contributor
  • March 19, 2026

One nuance that tripped me up early on: **Platform SSO (macOS-native)** is a *post-enrollment* story — you won’t get an Entra “web login” experience *inside* Setup Assistant unless you’re doing Apple’s Enrollment SSO / federated Managed Apple IDs.

 

If your goal is “IdP is the source of truth + local password changes flow from IdP,” Platform SSO + Apple User Authorization controls can get you pretty close once profiles/extensions are in place. This write-up is a decent overview of the moving pieces and the user experience: [Mac Platform SSO & Apple User Authorization Policy](https://help.swif.ai/en/articles/13613846-mac-platform-sso-apple-user-authorization-policy)

Terms & ConditionsCookie settingsAccessibility statement