- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2024 03:04 AM
Microsoft has released Company Portal 5.2401.2 with support for Platform SSO.
Users with SSO profiles receive a pop-up requesting registration with Azure Account to synchronize the local Mac password.
Has anyone had this experience?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2024 01:47 PM - edited 04-04-2024 08:10 AM
For anyone following this topic, we have some remediation documented at https://www.jamf.com/blog/entra-id-platform-sso-device-compliance/ [link updated 4APR2024]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2024 03:41 AM
Yes, I have the same issue. This registration windows show, have not find a way t0 disable the notification either.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2024 03:45 AM
Please review your SSOe configuration profile within Jamf Pro and disable the Platform SSO support. That should prevent the pop up for users. May require a system reboot after you deploy the updated profile to your fleet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2024 03:48 AM
Removing SSOe means losing the function of SSO
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2024 03:55 AM
Not a good solution 🤣
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2024 05:09 AM
I disabled the Platform SSO setting in our Microsoft Enterprise SSO profile and this seems to have fixed the issue. When you read what the setting does, it is only related to the sign-in window.
We actually can't support Platform SSO at the sign-in window, so not sure why this was even enabled. To be honest, after testing on my own Mac SSO seems a little better system wide with this setting disabled. Doing further testing now with a new enrollment and older version of CP, then will allow CP to update to see if the issues reappears.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2024 06:08 AM
And SSO for 365 etc still works?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2024 06:11 AM
Yes, after restart. Actually seems to work better and more seamless than before when the PSSO setting was enabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2024 04:28 AM
This Company Portal v5.2401.2 update 100% breaks existing Intune registrations when users click the prompt and provide their password in the SSO plug-in. It has broken many of our Macs with the only fix being to have users manually re-register via Self Service. We have a Sev A case open with MS since yesterday afternoon with very slow response as usual since MS has very few engineers that understand this configuration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2024 04:31 AM
Same for me on several instances of Jamf.
The main problem seems to be related to creating a new computer id under Entra ID, which is not compliant until Intune synchronization which is not so fast.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2024 04:33 AM
Does anyone know of a workaround?
Is there an SSOe configuration that does not invoke this new registration while keeping the SSO enabled?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2024 09:05 AM
Yep, getting this too, fortunately we haven't gone live with our conditional access policy yet or this could have been a major issue. If you hear back from microsoft please update us.
We have some devices which still seem compliant after the inputting of information so I'm not sure whether they become compliant again or whether it is hit and miss.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2024 09:06 AM
When we disabled platform SSO it totally broke the Entra compliance registration and we had to re-register to get it to work again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2024 12:06 PM
We also have been hit by this issue. We have updated our SSO Config Profile to toggle "Platform SSO" off, and redistributed to all of our Macs. However, we are still having some users getting Platform SSO login prompts after reboot. Has anyone found a solution to the login prompts?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2024 09:56 AM
The behavior is not the best.
If you have Company Portal 5.24 and PSSO enabled, the macOS starts the registration notification.
If the user does not register, removing the PSSO stops the notification. So far, it is consistent:
PSSO ON = notification enabled
PSSO OFF = notification disabled
Problems start when the user completes registration:
1st problem: a new device is registered in Entra ID with a different ID and compliant is N/A - then fails Conditional Access.
2nd problem: "password change" is disabled on macOS, so it is necessary to change the password from Entra ID. Here I need further testing, but in the first facts the local user password is not changed and I fear for FileVault.
All these settings seem to introduce interesting new features, but there is a lack of documentation and tests and we are going by trial and error at this time.
Updating the documentation is very urgent
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2024 10:25 AM
Microsoft really screwed alot of us with this and has been zero help so far. But that isn't a surprise. Anyway....
Here is what we have found. Anyone that incorrectly clicked to do the PSSO is probably never going to get fully straightened out just by redoing the Intune Integration registration from Self Service. If a user didn't click it and you disabled the “use Platform SSO” setting in your profile then they are probably good to go. Anyone that had already accidentally enabled it, it will stay enable no matter what the profile says. Reboots don't help.
What I found is that anyone who clicked and technically enabled PSSO there is appears that there is no way to get rid of it....but there is.
If you look at the user's System Settings>Users & Groups> {user's account} and click the i....
This is bad, it means the PSSO is enabled and Enterprise SSO is going to continue to have issues. If they show the Platform single Sign On section in their account then it is already enabled and messing with SSO.
This is good, it means that the user didn't click and didn't enable PSSO. These users probably aren't having issues or just need to register again from Self Service.
The only way I have found to get rid of the "bad" is to exclude the user's computer or some smart group from the SSO profile so it is removed from their Mac. This will disable the SSO extension and get rid of the PSSO. Wait a few minutes, then remove the exclusion so the SSO profile is installed on their Mac again which will reenable the SSO extension including not enabling PSSO since you probably/hopefully already disabled the setting. After getting the profile back on the Mac, confirm the PSSO section is removed from their account info. After this the user should be able to register again via the Self Service policy, wait a few minutes for Entra/Intune to catch up, then they should be able to sign in again, use SSO and all of their problems should be solved. No restart was need in my experience.
Hope this makes sense and helps those pulling their hair out with the mess.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2024 10:30 AM
Oh yeah, and any records in Entra that show as "Microsoft Entra joined" are the bad records created by PSSO. If the record shows as "Microsoft Entra registered" then this should be a good record created when the registration was done via the Self Service policy. I decided I wasn't going to delete any of the bad records in Entra to avoid any possible issues. I will just let them go stale or purge them down the road when the dust settles.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2024 10:38 AM
Great thank you Scottlep,
Do you happen to have Jamf Connect in your environment?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2024 10:42 AM
We do not. We just use the Enterprise SSO (formerly Enterprise Connect) for password management with unbound Macs running Zscaler. No issues as long as the devices are correctly registered (and MS doesn't break it 😀).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-22-2024 12:32 AM
Instead of excluding it I updated the config profile to disable Use Platform SSO, that removed the settings on those Mac that had registered using the pop-up.
but I do hear compliant about Microsoft apps not working for those who registered.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-22-2024 01:32 AM
I can confirm the behavior.
The only way to disable PSSO is to remove the SSOe profile completely. Disabling PSSO in the SSOe profile is not enough.
Once removed, you can deploy SSOe without PSSO
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2024 12:10 PM
I want to check if the downgrade is a temporary fix but cannot find any PKG for Company Portal 5.2401.0 anyone have it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2024 12:35 PM
I can confirm that a downgrade is not a temporary fix for those that have already experienced the issues, had users click to register PSSO, etc.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2024 12:45 PM
We have a different issue but very similar, we got the error attached after the 5.2401.2 update.
Think that a downgrade will work for me, but I can't find any PKGG files.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-22-2024 07:45 AM
Good morning.
Has anyone managed to remove the notification?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-22-2024 08:13 AM
To remove the notification, it is necessary to remove the SSOe profile completely, then deploy it again without PSSO.
it is not sufficient to remove only PSSO
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-22-2024 08:51 AM
Even deactivating it, it is populating users.
Do I need to do anything else?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-22-2024 09:20 AM
I have spent a few hours diagnosing this issue. Our organization is using SSOe to handle passing the PRT token around to our SSO applications in Entra/Azure. My mistake that I didn't keep up with the news that the SSOp would be turned on automatically with the CP deployed.
I deactivated the SSOp from the config profile, this is causing the banner to stay and cause a never ending login loop AFTER the SSOp is deactivated from the same config profile.
Running the command app-sso platform -s you can see the output of signing into the banner. When running the command after every sign in attempt on the looping banner. You can see that the output of the command never changes from "POUserStateNeedsRegistration (2)" to "POUserStateNormal"
If you want to tail what the Company Portal app is doing in real time.
"tail -F ~/Library/Containers/com.microsoft.CompanyPortalMac.ssoextension/Data/Library/Caches/Logs/Microsoft/SSOExtension/*"
Doing what n_leechi suggested of removing the entire profile and adding it back is solving the loop issue even though its removed. What I havent tested is how its affecting people who signed in different ways.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-22-2024 09:41 AM
Also do not disable the device in Entra. It will prevent the users from using any products that use the IDP. Deleting seems to be the better solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-25-2024 01:55 AM
Based on my testing with different environments and assistance from Jamf support, here is what I learned:
Problem
On Macs with Company Portal 5.24+ and PSSO enabled, users are prompted to register in Entra ID.
How to turn off the registration notification:
1. Remove the SSOe profile.
2. Disable PSSO in the SSO Extension profile.
3. Reinstall the SSOe profile without PSSO.
Manage device compliance registration (3 different scenarios):
1. If the end user entered his credentials in the PSSO window, he probably lost the WPJ key and needs to re-register for device compliance.
2. If the end user attempted to register before the PSSO settings were removed and the WPJ key is still present, they will need to manually delete the WPJ key, delete multiple records in Entra ID, and then register again.
3. If the end user has not attempted to re-register with PSSO, he only needs to try logging into a managed application after restarting the Mac. Perhaps he needs to re-register with device compliance.
This is not official information and may not cover all scenarios, but is just information based on my experience in these few days after the Company Portal upgrade.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2024 01:47 PM - edited 04-04-2024 08:10 AM
For anyone following this topic, we have some remediation documented at https://www.jamf.com/blog/entra-id-platform-sso-device-compliance/ [link updated 4APR2024]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-04-2024 06:39 AM
Hey, this link no longer exists. Any ideas where this has gone? Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-04-2024 08:07 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-04-2024 08:11 AM
Updated link. Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-05-2024 04:24 AM
We've followed the blog but are now faced with users devices appearing fine but are not passing their device info through to conditional access so are getting blocked. The only way to fix this appears to be a complete cleanup of workplace join and re-registration. Is anyone else having this issue?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-05-2024 05:14 AM - edited 04-09-2024 06:51 AM
@Rolden Here is what we are doing:
- Make sure user is off any VPN connections
- Make sure user has no updates pending as Profiles will not install if they are
- Delete Entra Joined object out of Entra
- Re-register Intune Integration
- Remove from SSO profile without signing out of Company Portal
- Repush the SSO profile
- Then sign out of company portal SSO and signed back in
This removes any Entra objects, registration creates a new Entra object and by removing/adding SSO profile, it refreshes Company Portal.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-25-2024 10:13 AM
JAMF and Microsoft have fixed most of the bugs and the Secure Enclave is successful now The best part is Google Chrome works with passwordless authentication. we still recommend on test devices only.