We are trying to fine tune our SSO experience on our macOS devices.
Our JAMF Connect application is working fine but we are unable to get SSO working for Safari/Chrome/Edge etc.
We have found the following article:
We have installed the Microsoft company portal app on our test device and deployed a Single-Sign On Configuration Profile to the test device and configured it as per Microsoft documentation in the above link.
We are not sure if the required custom configuration is applying correctly as the documentation states we need to add the following key pairs for it to work.
Value: 1 or 0
Value: 1 or 0
We have done a test on mac which is Intune enrolled only and have used Intune to deploy the Single Sign On config profile and it works a treat.
Opening Safari and going to office.com automatically shows the user signed in and we can simply click on it to log on.
On our JAMF enrolled device we still get prompted for a username and password.
We are using pure Azure AD and not using kerberos.
Any advice or information would be greatly appreciated.
We were hoping not to have to configure the Conditional Access in JAMF, from what we understand the company portal simply needs to be installed on the device for the extension.
@nelsoni have you managed to get it to work without the Conditional Access? If so please could I pick your knowledge on how you have managed to get it to work, spent hours of research and testing and still been unable to get it to work.
I have attached images of my config profile setup
@nelsoni thank you for you replies, I have deleted my SSO Extension profile in JAMF and re-created it again just incase there was something wrong with it. I'm still not getting it right :-(
I'm testing on Big Sur, Jamf Connect installed and appears to be working, have deployed the SSO Extension profile and then manually installed the Company Portal app, have not touched the Company Portal app after installing it.
Only profiles are the jamf connect and sso extension profile and then the microsoft auto update config, otherwise we are testing vanilla.
Was there anything in Azure that you needed to do?
I must be missing something. Please can you let me know the steps you have followed to get it working.
This is what i see when trying to log in to office.com via safari.
That screenshot looks good, you have to login at least once and that popup window is the company portal doing the brokerage between safari and Azure, once you login the company portal should pass the token to each other app that needs to authenticate.
From my testing and seeing deployments done by Apple themselves, there has to be at least one login performed, not sure how you got it to carry over from just an initial login from the Macs login window.
I've been testing this config and was able to have Zscaler take the credentials from an Intune enrolled test device. (Leveraging the JAMF\Conditional Access Intune enrollement).
Although Safari just shows a blank screen when getting to a login page that should take AzureAD creds.
Chrome and Outlook dont appear to be affected by the SSO config as they just show the usual AzureAD login prompts.
Anyone else make any progress with this config?
Im doing the same as in the screenshots except I am using the following for my plist.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>AppAllowList</key> <string>com.zscaler.Zscaler, com.apple.Safari, com.microsoft.Outlook, com.google.Chrome, com.mozilla.firefox</string> <key>AppPrefixAllowList</key> <string>com.microsoft.</string> <key>Browser_SSO_Interaction_Enabled</key> <integer>1</integer> <key>Disable_Explicit_App_Prompt</key> <integer>1</integer> </dict> </plist>
I'm also having problems getting the SSO to work after following the directions listed here. https://docs.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin.
From Hobbs155's screen shot, there is a Custom Configuration using the com.microsoft.CompanyPortalMac.plist. Can anybody here who has this working share their plist and advise where the file should be stored (Jamf Pro and/or end-user machine)?
Thank you in advanced!