cisco webex single sign on (SSO)

NOVELLUS
Contributor II

Hello community,
we are using SSO via Microsoft Asher® AD.
Now, we changed our Cisco Webex® to SSO, too. On our Windows Clients, SSO for Cisco Webex® is working, but not on our Mac® clients.
I configured a configuration profile and a plist in Jamf Pro® for SSO with "Single Sing-On Extensions SSO for the Mircrosoft Office® applications is working well, but not for Cisco Webex® . The (Microsoft® ) logon screen is coming up, but the user credentials (the users email address and his password) are not automated filled. (When the user is starting an office application, like for example Excel®, the credentials will be filled in automatically).

The application "Company Portal.app" is already installed on the Mac® client and the client is registered in MS Intune®.
Is there anyone who can help me for setting up SSO for Cisco Webex® ?

Thank you for your time and answer and
kind regards,
Michael

Bildschirmfoto 2022-08-10 um 14.15.42.png

4 REPLIES 4

AJPinto
Valued Contributor

As bad as this sounds you may need to reach out to Cisco on this one. In my experiences with managing WebEx on macOS its hot garbage. Cisco has designed WebEx to not respect /Library/Managed Preferences which is where configuration profiles drop.

 

You can try to manually create the plist, put it in /Library/Preferences, package it up with JAMF and deploy it and see if that works. This is what we do to deploy our OrganizationID and it works well. Though its more so politely asking than managing as a user can just change the value. This is a limitation with WebEx, not MacOS or JAMF.

 

AJPinto_0-1660135427581.png

 

@AJPinto 

Thank you very much for your reply!

I am not sure, if it would be really necessary to create an own plist for SSO for Webex® . Maybe it could be necessary, because there is no official team identifier for Webex® , but I found an identifier called "com.cisco.webex" and some extensions (like for example "meetingmanager") . If I am right, it would be enough, to attach the first part of the - let me say - global team identifier (like "com.cisco.webex.") to the list of allowed applications to the Single Sign-On function, to get the Microsoft® login screen. I did this and it works flawless, but I did not find a way to fill in the user credentials automaticly (its email address and password). The Microsoft® login screen comes up, but the users email address and its password is not filled in. Would this be possible with a separate plist, like you wrote?

AJPinto
Valued Contributor

When you deploy a configuration profile, it creates a plist in /Library/Managed Applications. Think of this like GPO making Registry Keys on Windows. .plists are how macOS keeps up with settings, preferences and configurations. The Preference Domain (com.cisco.webexmeetings.config.plist) is how macOS knows what Application the plist pertains to. However, as with most things on macOS apple does not force standards or best practices. Generally speaking an Application should respect a few directories for plists, one of which being /Library/Managed Applications. However, Cisco does not design their products "correctly" for macOS. Because of this Configuration Profiles will not work for WebEx, the application is simply not “listening” for them.

 

WebEx does have a TeamID, but you would not need it for this.

  • BundleID: Cisco-Systems.Spark
  • TeamID: DE8Y96K9QP

Cisco is in the middle of shifting products with WebEx, I could see there being more than one preference domain that WebEx is listening to, but I don’t think it is. Either way if it works it works. It stands to reason whatever the key is for Window should be the same key for macOS, but that is assuming Cisco follows and standards themselves. 

 

What does your configuration profile look like? 

 

If you have the right preference domain, its a matter of figuring out what the correct key pair is. Unfortunately only Cisco and answer that, unless someone happens to have already have done this. We keep JAMF and Intune far apart because Azure is an unwieldy beast.

@AJPinto  thank you so much for your reply and your patience.
As I re readed my post above, I recognized, that I confounded something.

We are using Cisco Webex® for telephonie (instead of Jabber® ) and meetings.
I set up a configuration profile for SSO. At this configuration profile, I had to upload a plist file for the settings. In that plist file, there is a parameter for the allowed applications for SSO.
Here is the screenshot:

Bildschirmfoto 2022-08-12 um 09.19.39.png

 

 

 

 

 

 

 

 

 

Here is the plist (to be uploaded for the alowed applications):

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AppPrefixAllowList</key>
	<string>com.microsoft.,com.apple.,com.google.Chrome,org.mozilla.firefox,com.cisco.webex.,com.cisco.webex.Cisco-WebEx-Start,</string>
	<key>browser_sso_interaction_enabled</key>
	<true/>
	<key>disable_explicit_app_prompt</key>
	<true/>
</dict>
</plist>

 

 

When the user is starting Webex, the user have to fill in his email address in the first webex login window. That is ok for us, After he clicked on "continue", the Microsoft® (Single Sign On) Login window appears.

The behaviour is, that the user has to fill in his email address, again and his password to authenticate himself. In our MS Office® applications, these valuables are filled in automated. But in Cisco Webex® , this does not work.

Bildschirmfoto 2022-08-12 um 09.39.24.png