Transitioning from Jamf Connect to Platform SSO: Handling "orphan" local accounts?

Question

Hi everyone,With the release of Jamf Pro 11.26 and the improved support for Platform SSO (PSSO) simplified setup, we’re looking at moving away from our traditional Jamf Connect / Login Window workflow.However, I’m running into a bit of a "Day 2" management hurdle. For our existing fleet that already has local accounts created via Jamf Connect, I’m finding that enabling Platform SSO via a configuration profile sometimes results in "orphaned" or duplicate-feeling login experiences if the local shortname doesn't perfectly match the Entra ID/Okta attribute.Has anyone found a clean way to "link" existing local accounts to Platform SSO without having the user go through a full profile rebuild? Also, are you seeing any issues with FileVault recovery keys not rotating properly once PSSO takes over the password sync duties?I’m trying to avoid a scenario where I have to ask 500 users to manually "Repair" their account sync. If you’ve scripted a migration path or have a clever Extension Attribute to track "PSSO Enrollment Status," I’d love to see how you’re handling it!Cheers!

angelohuang · Answer

I’d be careful treating this as a pure “turn on PSSO and it links itself” migration. In my experience, the cleanest rollouts come from first normalizing the local shortname / identity mapping you want PSSO to land on, then using PSSO registration state as a separate checkpoint.

This write-up was a useful reference for me because it lays out the user-authorization and account-linking side pretty clearly: Mac Platform SSO & Apple User Authorization Policy

If your existing Jamf Connect-created shortnames don’t line up with the Entra/Okta attribute you want PSSO to use, I’d expect edge cases until you fix that mapping first.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded