Company portal 5.2401.2 wit PSSO support

n_lecchi
Contributor

Microsoft has released Company Portal 5.2401.2 with support for Platform SSO.
Users with SSO profiles receive a pop-up requesting registration with Azure Account to synchronize the local Mac password.
Has anyone had this experience?

Screenshot 2024-03-20 at 10.20.50.png

1 ACCEPTED SOLUTION

rabbitt
Contributor II
Contributor II

For anyone following this topic, we have some remediation documented at https://www.jamf.com/blog/entra-id-platform-sso-device-compliance/ [link updated 4APR2024]

View solution in original post

36 REPLIES 36

MALmen
New Contributor III

Yes, I have the same issue. This registration windows show, have not find a way t0 disable the notification either. 

Tonyyoung
New Contributor III

Please review your SSOe configuration profile within Jamf Pro and disable the Platform SSO support. That should prevent the pop up for users. May require a system reboot after you deploy the updated profile to your fleet. 

Removing SSOe means losing the function of SSO

MALmen
New Contributor III

Not a good solution 🤣

I disabled the Platform SSO setting in our Microsoft Enterprise SSO profile and this seems to have fixed the issue. When you read what the setting does, it is only related to the sign-in window.

Screenshot 2024-03-20 at 8.07.45 AM.jpg

We actually can't support Platform SSO at the sign-in window, so not sure why this was even enabled. To be honest, after testing on my own Mac SSO seems a little better system wide with this setting disabled. Doing further testing now with a new enrollment and older version of CP, then will allow CP to update to see if the issues reappears. 

MALmen
New Contributor III

And SSO for 365 etc still works?

Yes, after restart. Actually seems to work better and more seamless than before when the PSSO setting was enabled.

scottlep
Contributor II

This Company Portal v5.2401.2 update 100% breaks existing Intune registrations when users click the prompt and provide their password in the SSO plug-in. It has broken many of our Macs with the only fix being to have users manually re-register via Self Service. We have a Sev A case open with MS since yesterday afternoon with very slow response as usual since MS has very few engineers that understand this configuration.

Same for me on several instances of Jamf.
The main problem seems to be related to creating a new computer id under Entra ID, which is not compliant until Intune synchronization which is not so fast.

n_lecchi
Contributor

Does anyone know of a workaround?
Is there an SSOe configuration that does not invoke this new registration while keeping the SSO enabled?

Rolden
New Contributor III

Yep, getting this too,  fortunately we haven't gone live with our conditional access policy yet or this could have been a major issue.  If you hear back from microsoft please update us.

We have some devices which still seem compliant after the inputting of information so I'm not sure whether they become compliant again or whether it is hit and miss.

Rolden
New Contributor III

When we disabled platform SSO it totally broke the Entra compliance registration and we had to re-register to get it to work again.

jasonde
New Contributor

We also have been hit by this issue. We have updated our SSO Config Profile to toggle "Platform SSO" off, and redistributed to all of our Macs. However, we are still having some users getting Platform SSO login prompts after reboot.  Has anyone found a solution to the login prompts? 

n_lecchi
Contributor

The behavior is not the best.
If you have Company Portal 5.24 and PSSO enabled, the macOS starts the registration notification.
If the user does not register, removing the PSSO stops the notification. So far, it is consistent:
PSSO ON = notification enabled
PSSO OFF = notification disabled

Problems start when the user completes registration:
1st problem: a new device is registered in Entra ID with a different ID and compliant is N/A - then fails Conditional Access.


2nd problem: "password change" is disabled on macOS, so it is necessary to change the password from Entra ID. Here I need further testing, but in the first facts the local user password is not changed and I fear for FileVault.

All these settings seem to introduce interesting new features, but there is a lack of documentation and tests and we are going by trial and error at this time.

Updating the documentation is very urgent

scottlep
Contributor II

Microsoft really screwed alot of us with this and has been zero help so far. But that isn't a surprise. Anyway....

Here is what we have found. Anyone that incorrectly clicked to do the PSSO is probably never going to get fully straightened out just by redoing the Intune Integration registration from Self Service. If a user didn't click it and you disabled the “use Platform SSO” setting in your profile then they are probably good to go. Anyone that had already accidentally enabled it, it will stay enable no matter what the profile says. Reboots don't help.

What I found is that anyone who clicked and technically enabled PSSO there is appears that there is no way to get rid of it....but there is.

 

If you look at the user's System Settings>Users & Groups> {user's account} and click the i....

This is bad, it means the PSSO is enabled and Enterprise SSO is going to continue to have issues. If they show the Platform single Sign On section in their account then it is already enabled and messing with SSO.

image (7).png


This is good, it means that the user didn't click and didn't enable PSSO. These users probably aren't having issues or just need to register again from Self Service.

image (8).png

 

The only way I have found to get rid of the "bad" is to exclude the user's computer or some smart group from the SSO profile so it is removed from their Mac. This will disable the SSO extension and get rid of the PSSO. Wait a few minutes, then remove the exclusion so the SSO profile is installed on their Mac again which will reenable the SSO extension including not enabling PSSO since you probably/hopefully already disabled the setting. After getting the profile back on the Mac, confirm the PSSO section is removed from their account info. After this the user should be able to register again via the Self Service policy, wait a few minutes for Entra/Intune to catch up, then they should be able to sign in again, use SSO and all of their problems should be solved. No restart was need in my experience.

Hope this makes sense and helps those pulling their hair out with the mess.

Oh yeah, and any records in Entra that show as "Microsoft Entra joined" are the bad records created by PSSO. If the record shows as "Microsoft Entra registered" then this should be a good record created when the registration was done via the Self Service policy. I decided I wasn't going to delete any of the bad records in Entra to avoid any possible issues. I will just let them go stale or purge them down the road when the dust settles.

Great thank you Scottlep,

 

Do you happen to have Jamf Connect in your environment?

We do not. We just use the Enterprise SSO (formerly Enterprise Connect) for password management with unbound Macs running Zscaler. No issues as long as the devices are correctly registered (and MS doesn't break it 😀).

Instead of excluding it I updated the config profile to disable Use Platform SSO, that removed the settings on those Mac that had registered using the pop-up.

but I do hear compliant about Microsoft apps not working for those who registered.

I can confirm the behavior.
The only way to disable PSSO is to remove the SSOe profile completely. Disabling PSSO in the SSOe profile is not enough.screenshot_2024-03-20_at_9.09.51___am.png

Once removed, you can deploy SSOe without PSSO

TZACHIR
New Contributor

I want to check if the downgrade is a temporary fix but cannot find any PKG for Company Portal 5.2401.0 anyone have it? 

I can confirm that a downgrade is not a temporary fix for those that have already experienced the issues, had users click to register PSSO, etc.

We have a different issue but very similar, we got the error attached after the 5.2401.2 update. 

Think that a downgrade will work for me, but I can't find any PKGimage (1).pngimage (2).pngG files.

caio_clemente
New Contributor II

Good morning.
Has anyone managed to remove the notification?

 

To remove the notification, it is necessary to remove the SSOe profile completely, then deploy it again without PSSO.

it is not sufficient to remove only PSSO

Unknown.png

Even deactivating it, it is populating users.

Do I need to do anything else?

mlope653
New Contributor III

I have spent a few hours diagnosing this issue. Our organization is using SSOe to handle passing the PRT token around to our SSO applications in Entra/Azure. My mistake that I didn't keep up with the news that the SSOp would be turned on automatically with the CP deployed. 

I deactivated the SSOp from the config profile, this is causing the banner to stay and cause a never ending login loop AFTER the SSOp is deactivated from the same config profile. 

Running the command app-sso platform -s you can see the output of signing into the banner. When running the command after every sign in attempt on the looping banner. You can see that the output of the command never changes from "POUserStateNeedsRegistration (2)" to "POUserStateNormal"

If you want to tail what the Company Portal app is doing in real time.

"tail -F ~/Library/Containers/com.microsoft.CompanyPortalMac.ssoextension/Data/Library/Caches/Logs/Microsoft/SSOExtension/*" 

 

Doing what n_leechi suggested of removing the entire profile and adding it back is solving the loop issue even though its removed. What I havent tested is how its affecting people who signed in different ways.

mlope653
New Contributor III

Also do not disable the device in Entra. It will prevent the users from using any products that use the IDP. Deleting seems to be the better solution. 

 

n_lecchi
Contributor

Based on my testing with different environments and assistance from Jamf support, here is what I learned:

Problem
On Macs with Company Portal 5.24+ and PSSO enabled, users are prompted to register in Entra ID.

Screenshot 2024-03-20 at 12.35.25.png

How to turn off the registration notification:

1. Remove the SSOe profile.
2. Disable PSSO in the SSO Extension profile.
3. Reinstall the SSOe profile without PSSO.

Unknown.png  

Manage device compliance registration (3 different scenarios):
1. If the end user entered his credentials in the PSSO window, he probably lost the WPJ key and needs to re-register for device compliance.

2. If the end user attempted to register before the PSSO settings were removed and the WPJ key is still present, they will need to manually delete the WPJ key, delete multiple records in Entra ID, and then register again.

3. If the end user has not attempted to re-register with PSSO, he only needs to try logging into a managed application after restarting the Mac. Perhaps he needs to re-register with device compliance.

 

This is not official information and may not cover all scenarios, but is just information based on my experience in these few days after the Company Portal upgrade.

rabbitt
Contributor II
Contributor II

For anyone following this topic, we have some remediation documented at https://www.jamf.com/blog/entra-id-platform-sso-device-compliance/ [link updated 4APR2024]

ath3rs
New Contributor

Hey, this link no longer exists. Any ideas where this has gone? Thanks

Updated link.  Thank you.  

Rolden
New Contributor III

We've followed the blog but are now faced with users devices appearing fine but are not passing their device info through to conditional access so are getting blocked.  The only way to fix this appears to be a complete cleanup of workplace join and re-registration.  Is anyone else having this issue?

DMH2000
Contributor

@Rolden Here is what we are doing:

  1. Make sure user is off any VPN connections
  2. Make sure user has no updates pending as Profiles will not install if they are
  3. Delete Entra Joined object out of Entra
  4. Re-register Intune Integration
  5. Remove from SSO profile without signing out of Company Portal
  6. Repush the SSO profile
  7. Then sign out of company portal SSO and signed back in

This removes any Entra objects, registration creates a new Entra object and by removing/adding SSO profile, it refreshes Company Portal.

Bharath05
New Contributor II

JAMF and Microsoft have fixed most of the bugs and the Secure Enclave is successful now The best part is Google Chrome works with passwordless authentication.  we still recommend on test devices only.