Posted on 07-16-2024 11:19 AM - last edited 3 weeks ago
Edited 4SEPT2024: Updated information with the release of Jamf Pro 11.9 for PSSO and Device Compliance. Also added link to Jamf Pro documentation.
https://learn.jamf.com/en-US/bundle/technical-articles/page/Platform_SSO_for_Microsoft_Entra_ID.html
With this method, when a user registers a device with the Platform Single Sign-On flow, the device compliance will automatically be sent to Entra.
In the event that an organization deploys PSSO first and then later configures and deploys Device Compliance, the user must run the "Register Device with Microsoft" policy from Jamf Self Service or the administrator must deploy a policy to run the gatherAADInfo command at least once before device compliance will be reported.
<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
<key>AppPrefixAllowList</key>
<string>com.microsoft.,com.apple.,com.jamf.trust,com.jamf.management.,com.jamf.protect,com.jamfsoftware.</string>
<key>browser_sso_interaction_enabled</key>
<integer>1</integer>
<key>disable_explicit_app_prompt</key>
<integer>1</integer>
</dict>
</plist>
Posted on 08-01-2024 01:36 PM
What do you set for the Registration Token field?
Posted on 08-01-2024 01:41 PM
Posted on 08-21-2024 02:52 PM
so if 11.7 is not going to work with PSSO, what version will?
Posted on 08-21-2024 03:10 PM
Jamf Pro will work with device registration, but you must manually run the gatherAADInfo command. You also need to make sure a specific order of operations occurs:
A) Device Registration is configured in Jamf Pro. The computer can be in a registered or unregistered state.
B) Push the PSSOe configuration profile to the device
C) Follow the user enrollment steps to activate PSSOe
D) Manually run either through policy or on the device in terminal the following command:
/Library/Application\ Support/JAMF/Jamf.app/Contents/MacOS/Jamf\ Conditional\ Access.app/Contents/MacOS/Jamf\ Conditional\ Access gatherAADInfo
A future version of Jamf Pro will automatically run this command with a LaunchDaemon after the device and user has registered PSSOe. I recommend joining the Jamf Pro beta to learn more.
a month ago
Do you mean you have to go through the Jamf/Intune integration and set up that Device Registration before attempting to set up PlatformSSO?
@rabbitt wrote:Jamf Pro will work with device registration, but you must manually run the gatherAADInfo command. You also need to make sure a specific order of operations occurs:
A) Device Registration is configured in Jamf Pro. The computer can be in a registered or unregistered state.
a month ago
Not sure if I totally understand your question. When you deploy the configurations to a device for PSSOe you have to manually run the alternative jamfAAD command listed above on that computer to get it registered with Entra for the device compliance to start working. Hope that helps.
4 weeks ago
If you were to deploy PSSO first THEN deploy the device registration settings to machines via Jamf Pro (aka enable it in the Jamf Pro Settings -> Global -> Device Compliance), then the expected behavior would still be that you need to open Self Service and select the "Register device with Microsoft" policy.
When you do that, the device has a registration in Entra ID's directory already, so most of the "hard work" is done. But that policy will then run the gatherAADInfo command and link the newly deployed compliance policy with the existing Entra ID UUID for the computer.
When Jamf Pro 11.9 drops, there will be a launchdaemon loaded onto the computer when you enable Device Compliance. The daemon watches for the status of PSSO registration.
But, if you enroll the device in PSSO and THEN deploy Device Compliance, the state of the PSSO registration never changes - it was already registered. So when deploying Device Compliance starts up that launchdaemon, it never sees a change to PSSO status. So therefore you need to run the Register policy again to "force" it to register.
Posted on 08-21-2024 03:15 PM
doh, its not jamfAAD gatherAADInfo, thanks I did not look closely enough
3 weeks ago
@rabbitt I thought I sent a question earlier but don't see it here. Do you know if we just need to add all the kerberos keys to the existing custom plist that we add to the PSSOe profile? If we do that will it cause re-registration of all devices that have the profile? https://learn.microsoft.com/en-us/entra/identity/devices/device-join-macos-platform-single-sign-on-k...
3 weeks ago
The answer is "It depends." Unfortunately I've seen two different behaviors when a PSSO profile is updated (which really is two separate commands - remove profile, add a new profile with a new identifier).
Authentication type set to "Password" - usually prompts user to re-register
Authentication type set to "Secure Enclave key" - Usually keeps the device registered when profile is removed until reboot.
So if you make any changes to the existing PSSO config profile in any way, it will probably require the user to re-register.
a week ago
Has anyone ran into an issue with Microsoft apps constantly asking to be logged into again? It seems like everything is talking correctly, as logging into the Mac uses the Entra ID password credentials, but all the Microsoft applications (Teams, Edge, OneDrive, etc.) keep logging out and ask to be logged into again frequently throughout the day. I feel like I'm missing something, but can't figure it out.
Tuesday
We have setup for PSSOe Jamf+MS Entra and running jamf pro 11.9.1 server, After PSSOe enabled in mac, under keychain - login - MS Organization access certificate in removed. After this Specific certificate removed, we cannot able to open any organization sites. Can idea?
Tuesday
Tuesday
we are running jamf pro 11.9.1 and we are not facing non compliance issue. yes we know , above command will help to make mac compliance.
Tuesday
only Question, once enabled PSSOe, why certificate removes from keychain, we know this specific certificate will help to access intranet site. we have compared 2 macs, one with PSSOe and another without PSSOe enabled. Once PSSOe registration completed, MS workplace join key (Private key) removes and not blocks the intranet access.
Tuesday
Once PSSOe registration completed, MS workplace join key (Private key) removes and it blocks the intranet access.
Tuesday
because it moves from keychain to the secure enclave, find a different cert to use. My guess would be to deploy a pkcs device/user cert from your CA would probably be the better thing to do. Or change your intranet policy to ask the device if it is compliant and use MSAL auth stuff.