Jamf Nation Community

Please review your SSOe configuration profile within Jamf Pro and disable the Platform SSO support. That should prevent the pop up for users. May require a system reboot after you deploy the updated profile to your fleet. 

This Company Portal v5.2401.2 update 100% breaks existing Intune registrations when users click the prompt and provide their password in the SSO plug-in. It has broken many of our Macs with the only fix being to have users manually re-register via Self Service. We have a Sev A case open with MS since yesterday afternoon with very slow response as usual since MS has very few engineers that understand this configuration.

Does anyone know of a workaround?
Is there an SSOe configuration that does not invoke this new registration while keeping the SSO enabled?

Yep, getting this too,  fortunately we haven't gone live with our conditional access policy yet or this could have been a major issue.  If you hear back from microsoft please update us.

We have some devices which still seem compliant after the inputting of information so I'm not sure whether they become compliant again or whether it is hit and miss.

We also have been hit by this issue. We have updated our SSO Config Profile to toggle "Platform SSO" off, and redistributed to all of our Macs. However, we are still having some users getting Platform SSO login prompts after reboot.  Has anyone found a solution to the login prompts? 

The behavior is not the best.
If you have Company Portal 5.24 and PSSO enabled, the macOS starts the registration notification.
If the user does not register, removing the PSSO stops the notification. So far, it is consistent:
PSSO ON = notification enabled
PSSO OFF = notification disabled

Problems start when the user completes registration:
1st problem: a new device is registered in Entra ID with a different ID and compliant is N/A - then fails Conditional Access.

2nd problem: "password change" is disabled on macOS, so it is necessary to change the password from Entra ID. Here I need further testing, but in the first facts the local user password is not changed and I fear for FileVault.

All these settings seem to introduce interesting new features, but there is a lack of documentation and tests and we are going by trial and error at this time.

Updating the documentation is very urgent

Microsoft really screwed alot of us with this and has been zero help so far. But that isn't a surprise. Anyway....

Here is what we have found. Anyone that incorrectly clicked to do the PSSO is probably never going to get fully straightened out just by redoing the Intune Integration registration from Self Service. If a user didn't click it and you disabled the “use Platform SSO” setting in your profile then they are probably good to go. Anyone that had already accidentally enabled it, it will stay enable no matter what the profile says. Reboots don't help.

What I found is that anyone who clicked and technically enabled PSSO there is appears that there is no way to get rid of it....but there is.

If you look at the user's System Settings>Users & Groups> {user's account} and click the i....

This is bad, it means the PSSO is enabled and Enterprise SSO is going to continue to have issues. If they show the Platform single Sign On section in their account then it is already enabled and messing with SSO.

This is good, it means that the user didn't click and didn't enable PSSO. These users probably aren't having issues or just need to register again from Self Service.

The only way I have found to get rid of the "bad" is to exclude the user's computer or some smart group from the SSO profile so it is removed from their Mac. This will disable the SSO extension and get rid of the PSSO. Wait a few minutes, then remove the exclusion so the SSO profile is installed on their Mac again which will reenable the SSO extension including not enabling PSSO since you probably/hopefully already disabled the setting. After getting the profile back on the Mac, confirm the PSSO section is removed from their account info. After this the user should be able to register again via the Self Service policy, wait a few minutes for Entra/Intune to catch up, then they should be able to sign in again, use SSO and all of their problems should be solved. No restart was need in my experience.

Hope this makes sense and helps those pulling their hair out with the mess.

I want to check if the downgrade is a temporary fix but cannot find any PKG for Company Portal 5.2401.0 anyone have it? 

Good morning.
Has anyone managed to remove the notification?

I have spent a few hours diagnosing this issue. Our organization is using SSOe to handle passing the PRT token around to our SSO applications in Entra/Azure. My mistake that I didn't keep up with the news that the SSOp would be turned on automatically with the CP deployed. 

I deactivated the SSOp from the config profile, this is causing the banner to stay and cause a never ending login loop AFTER the SSOp is deactivated from the same config profile. 

Running the command app-sso platform -s you can see the output of signing into the banner. When running the command after every sign in attempt on the looping banner. You can see that the output of the command never changes from "POUserStateNeedsRegistration (2)" to "POUserStateNormal"

If you want to tail what the Company Portal app is doing in real time.

"tail -F ~/Library/Containers/com.microsoft.CompanyPortalMac.ssoextension/Data/Library/Caches/Logs/Microsoft/SSOExtension/*" 

Doing what n_leechi suggested of removing the entire profile and adding it back is solving the loop issue even though its removed. What I havent tested is how its affecting people who signed in different ways.

Based on my testing with different environments and assistance from Jamf support, here is what I learned:

Problem
On Macs with Company Portal 5.24+ and PSSO enabled, users are prompted to register in Entra ID.

How to turn off the registration notification:

1. Remove the SSOe profile.
2. Disable PSSO in the SSO Extension profile.
3. Reinstall the SSOe profile without PSSO.

Manage device compliance registration (3 different scenarios):
1. If the end user entered his credentials in the PSSO window, he probably lost the WPJ key and needs to re-register for device compliance.

2. If the end user attempted to register before the PSSO settings were removed and the WPJ key is still present, they will need to manually delete the WPJ key, delete multiple records in Entra ID, and then register again.

3. If the end user has not attempted to re-register with PSSO, he only needs to try logging into a managed application after restarting the Mac. Perhaps he needs to re-register with device compliance.

This is not official information and may not cover all scenarios, but is just information based on my experience in these few days after the Company Portal upgrade.

We've followed the blog but are now faced with users devices appearing fine but are not passing their device info through to conditional access so are getting blocked.  The only way to fix this appears to be a complete cleanup of workplace join and re-registration.  Is anyone else having this issue?

@Rolden Here is what we are doing:

1. Make sure user is off any VPN connections
2. Make sure user has no updates pending as Profiles will not install if they are
3. Delete Entra Joined object out of Entra
4. Re-register Intune Integration
5. Remove from SSO profile without signing out of Company Portal
6. Repush the SSO profile
7. Then sign out of company portal SSO and signed back in

This removes any Entra objects, registration creates a new Entra object and by removing/adding SSO profile, it refreshes Company Portal.

JAMF and Microsoft have fixed most of the bugs and the Secure Enclave is successful now The best part is Google Chrome works with passwordless authentication.  we still recommend on test devices only.