so if 11.7 is not going to work with PSSO, what version will?

doh, its not jamfAAD gatherAADInfo, thanks I did not look closely enough

@rabbitt I thought I sent a question earlier but don't see it here. Do you know if we just need to add all the kerberos keys to the existing custom plist that we add to the PSSOe profile? If we do that will it cause re-registration of all devices that have the profile? https://learn.microsoft.com/en-us/entra/identity/devices/device-join-macos-platform-single-sign-on-k... 

Has anyone ran into an issue with Microsoft apps constantly asking to be logged into again? It seems like everything is talking correctly, as logging into the Mac uses the Entra ID password credentials, but all the Microsoft applications (Teams, Edge, OneDrive, etc.) keep logging out and ask to be logged into again frequently throughout the day. I feel like I'm missing something, but can't figure it out.

We have setup for PSSOe Jamf+MS Entra and running jamf pro 11.9.1 server, After PSSOe enabled in mac, under keychain - login - MS Organization access certificate in removed. After this Specific certificate removed, we cannot able to open any organization sites. Can idea?   

we are running jamf pro 11.9.1 and we are not facing non compliance issue. yes we know , above command will help to make mac compliance. 

only Question, once enabled PSSOe, why certificate removes from keychain, we know this specific certificate will help to access intranet site. we have compared 2 macs, one with PSSOe and another without PSSOe enabled. Once PSSOe registration completed, MS workplace join key (Private key) removes and not blocks the intranet access. 

Once PSSOe registration completed, MS workplace join key (Private key) removes and it blocks the intranet access. 

because it moves from keychain to the secure enclave, find a different cert to use. My guess would be to deploy a pkcs device/user cert from your CA would probably be the better thing to do. Or change your intranet policy to ask the device if it is compliant and use MSAL auth stuff.

Thanks for this @rabbitt!

Question: with the WPJ cert/key removed, what marker or identifier can we look for on the endpoint to verify a healthy and successful registration? When moving to PSSOe, we see the device record flip from "Microsoft Entra registered" to "Microsoft Entra joined" in Entra, with a new Device ID to boot. However, there is no cert in the keychain that matches the new Device ID (since it's presumably stored in the Secure Enclave). How can we check for this cert/registration on the endpoint?

@rabbitt 

Thanks so much for all this. We are testing Microsoft Platform SSO with Entra successfully. In a passwordless environment, we can see some huge benefits and a better overall Mac experience with Smart Cards.

Thanks again for all your help at JNUC with the braindate meet! Your presentation was awesome as well. Appreciate the tips and cheat codes.

I have an issue where, after authenticating with the company portal, I see the "MS-Organization-Access" certificate in the user's keychain, but it is not trusted. Is it necessary to trust this certificate, and will it cause any issues if it remains untrusted? How can I trust that certificate, and is there a root CA required for it to be trusted?

@rabbitt - I'm going to go ahead and get this out of the way - We still AD Bind.   (hangs head in shame).

But, I've been looking to convince management to get away from this for a while.  After JNUC and hearing your session (awesome session BTW), management decided to get some Jamf Connect licenses and start looking at PSSOe.  The problem I'm running into is that we seem dead set on not allowing just anyone the capability to register in Entra.  We have it restricted to a small group of employees.  That means I'll have to touch every single machine.
Do you have any advice on how I can accomplish this easily or how to convince management to open it up?  Their concern is that we've had a bunch of personal devices register in our tenant and this was presented as the way to stop that.

Thanks!

@rabbitt , thanks for posting this very helpful information.
We are facing some similar inconsistencies with our test deployment of PSSOe with password sync on Jamf Pro Cloud Version11.10.1-t1728656858, using Company Portal Version: 5.2409.1 (53.2409926.002) and a signed config profile created in iMazing. We were experiencing some issues with the profile created in the Jamf UI, the session duration key value was being manipulated so, we went to a signed profile and didn't set that value, taking the default. We've still been experiencing what I would call a "drift" where, initially, things seem to work fine. After logging in, SSO works and the tokens are read, website and apps seamlessly connect as expected. Then after a few days or so, it may start with Teams displaying a banner that you need to sign in. Other sites that were previously, silently passing the SSO token, were prompting for login credentials and MFA. Our testing with SecureEnclave was must smoother but, due to our environment and culture at the time we have to start with password sync. I've tried to capture some logs using unified logging and some predicates but, I'm not sure what's "normal noise" or what's actually an error. Additionally, a line in the output of the app-sso platform -s command has been getting my attention but, I'm not sure if it's actually an error or if it's just describing what would be output in the event of that type of error. Under the "Login Configuration" section there is a key-value pair with the following:

"invalidCredentialPredicate" : "error = 'invalid_grant' AND suberror != 'device_authentication_failed'",

1. Any thoughts on the "drift" for Microsoft applications and sites that were previously taking SSO tokens prompting for credentials? (I saw your response to "wlumley" and we'll be checking with our Identity & Access folks regarding a conditional access policy if it exists or not.

2. Do you know of any good log predicates that may be of value to stream or look up when troubleshooting PSSOe w/ password sync?

3. Have you heard of or had any experiences with the Jamf UI when creating config profiles changing some values of the keys?

I think this particular one should have the wording changed and that might fix the issue since the key takes seconds but, the interface uses

resulted in:

So, the value entered in the UI was multiplied by 3600. The UI should say to enter the number of hours but, we got an error when entering "1". After this we didn't populate that key but, it still did not affect the issues we've been experiencing.

Also, replace "session duration key" with "login frequency" woops.

We've decided to switch to SecureEnclave. During my journey down the rabbit hole of Platform SSO logs I came up with a few variations on a predicate that gave some insight into the problem.

Silent token refresh attempt results
log show --style compact --predicate '(subsystem contains [c] "AppSSO Extensi" or subsystem contains [c] "com.microsoft.ssoextension" or subsystem = "com.apple.AppSSO") and (eventMessage contains "_finishAuthorization:withCompletion:" or eventMessage contains "authorization:didCompleteWithError:")' --debug --info

You can play with variations on this predicate to see some interesting things. The subsystems listed were the ones I found mostly related to SSO. I also looked at keychain and device unlock logs with variations on this predicate. I was able to compare my experience on an Intune managed device running password sync vs our Jamf managed devices. The Jamf implementation at this time seems to have some bugs around the silent refresh. Not surprisingly, the Intune implementation for both password sync and SecureEnclave were both smooth.

The above predicate only showed successful results on my Intune managed device.