08-10-2022 05:10 AM - edited 08-10-2022 05:23 AM
Hello community,
we are using SSO via Microsoft Asher® AD.
Now, we changed our Cisco Webex® to SSO, too. On our Windows Clients, SSO for Cisco Webex® is working, but not on our Mac® clients.
I configured a configuration profile and a plist in Jamf Pro® for SSO with "Single Sing-On Extensions SSO for the Mircrosoft Office® applications is working well, but not for Cisco Webex® . The (Microsoft® ) logon screen is coming up, but the user credentials (the users email address and his password) are not automated filled. (When the user is starting an office application, like for example Excel®, the credentials will be filled in automatically).
The application "Company Portal.app" is already installed on the Mac® client and the client is registered in MS Intune®.
Is there anyone who can help me for setting up SSO for Cisco Webex® ?
Thank you for your time and answer and
kind regards,
Michael
Posted on 08-10-2022 05:45 AM
As bad as this sounds you may need to reach out to Cisco on this one. In my experiences with managing WebEx on macOS its hot garbage. Cisco has designed WebEx to not respect /Library/Managed Preferences which is where configuration profiles drop.
You can try to manually create the plist, put it in /Library/Preferences, package it up with JAMF and deploy it and see if that works. This is what we do to deploy our OrganizationID and it works well. Though its more so politely asking than managing as a user can just change the value. This is a limitation with WebEx, not MacOS or JAMF.
08-10-2022 07:36 AM - edited 08-10-2022 07:44 AM
Thank you very much for your reply!
I am not sure, if it would be really necessary to create an own plist for SSO for Webex® . Maybe it could be necessary, because there is no official team identifier for Webex® , but I found an identifier called "com.cisco.webex" and some extensions (like for example "meetingmanager") . If I am right, it would be enough, to attach the first part of the - let me say - global team identifier (like "com.cisco.webex.") to the list of allowed applications to the Single Sign-On function, to get the Microsoft® login screen. I did this and it works flawless, but I did not find a way to fill in the user credentials automaticly (its email address and password). The Microsoft® login screen comes up, but the users email address and its password is not filled in. Would this be possible with a separate plist, like you wrote?
Posted on 08-10-2022 07:52 AM
When you deploy a configuration profile, it creates a plist in /Library/Managed Applications. Think of this like GPO making Registry Keys on Windows. .plists are how macOS keeps up with settings, preferences and configurations. The Preference Domain (com.cisco.webexmeetings.config.plist) is how macOS knows what Application the plist pertains to. However, as with most things on macOS apple does not force standards or best practices. Generally speaking an Application should respect a few directories for plists, one of which being /Library/Managed Applications. However, Cisco does not design their products "correctly" for macOS. Because of this Configuration Profiles will not work for WebEx, the application is simply not “listening” for them.
WebEx does have a TeamID, but you would not need it for this.
Cisco is in the middle of shifting products with WebEx, I could see there being more than one preference domain that WebEx is listening to, but I don’t think it is. Either way if it works it works. It stands to reason whatever the key is for Window should be the same key for macOS, but that is assuming Cisco follows and standards themselves.
What does your configuration profile look like?
If you have the right preference domain, its a matter of figuring out what the correct key pair is. Unfortunately only Cisco and answer that, unless someone happens to have already have done this. We keep JAMF and Intune far apart because Azure is an unwieldy beast.
08-12-2022 12:43 AM - edited 08-12-2022 05:00 AM
@AJPinto thank you so much for your reply and your patience.
As I re readed my post above, I recognized, that I confounded something.
We are using Cisco Webex® for telephonie (instead of Jabber® ) and meetings.
I set up a configuration profile for SSO. At this configuration profile, I had to upload a plist file for the settings. In that plist file, there is a parameter for the allowed applications for SSO.
Here is the screenshot:
Here is the plist (to be uploaded for the alowed applications):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AppPrefixAllowList</key>
<string>com.microsoft.,com.apple.,com.google.Chrome,org.mozilla.firefox,com.cisco.webex.,com.cisco.webex.Cisco-WebEx-Start,</string>
<key>browser_sso_interaction_enabled</key>
<true/>
<key>disable_explicit_app_prompt</key>
<true/>
</dict>
</plist>
When the user is starting Webex, the user have to fill in his email address in the first webex login window. That is ok for us, After he clicked on "continue", the Microsoft® (Single Sign On) Login window appears.
The behaviour is, that the user has to fill in his email address, again and his password to authenticate himself. In our MS Office® applications, these valuables are filled in automated. But in Cisco Webex® , this does not work.
Posted on 06-27-2023 03:42 PM
Got this working just now, using the bundle ID from above, and found on this page: https://collaborationhelp.cisco.com/en-us/article/nw5p67g/Webex-App-%7C-Installation-and-automatic-u...
Here's the AppPrefixAllowList
com.microsoft.,com.adobe.,com.apple.,com.jamfsoftware.,com.jamf.,Cisco-Systems.Spark
Here's the full custom configuration plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AppPrefixAllowList</key>
<string>com.microsoft.,com.adobe.,com.apple.,com.jamfsoftware.,com.jamf.,com.tableausoftware.tableaudesktop,Cisco-Systems.Spark</string>
<key>Enable_SSO_On_All_ManagedApps</key>
<integer>1</integer>
<key>browser_sso_interaction_enabled</key>
<integer>1</integer>
<key>disable_explicit_app_prompt</key>
<integer>1</integer>
</dict>
</plist>