Microsoft Enterprise SSO plug-in for Apple devices

n_lecchi
Contributor

I'm testing this MS plug-in for SSO

It works fine with Safari, but I'm not able to use it with Desktop-Apps like Office 365 ones.

Anyone have experience in SSO in Office 365 apps?

117 REPLIES 117

It appears the config worked for the MS suite, but my tester mentioned GP could not connect after they rebooted. Wondering if its the 

<key>browser_sso_disable_mfa</key>

Does this key stop MFA's like DUO and MS Authenticator from appearing?  We want that in our environment. 

GabeShack
Valued Contributor III

Here is what I saw on that, and for some reason I had to set this, im sure there was some issue:

Disable asking for MFA during initial bootstrapping

By default, the Microsoft Enterprise SSO plug-in always prompts the user for MFA during the initial bootstrapping and while getting a shared credential. The user is prompted for MFA even if it's not required for the application that the user has opened. This behavior allows the shared credential to be easily used across all other applications without the need to prompt the user if MFA is required later. Because the user gets fewer prompts overall, this setup is generally a good decision.

Enabling browser_sso_disable_mfa turns off MFA during initial bootstrapping and while getting the shared credential. In this case, the user is prompted only when MFA is required by an application or resource.

To enable the flag, use these parameters:

  • Key: browser_sso_disable_mfa
  • Type: Integer
  • Value: 1 or 0

We recommend keeping this flag disabled because it reduces the number of times the user is prompted to sign in. If your organization rarely uses MFA, you might want to enable the flag. But we recommend that you use MFA more frequently instead. For this reason, the flag is disabled by default.

Gabe Shackney
Princeton Public Schools

I did see that. Your profile was enabled but its disabled by default, so I removed it.  The GP issue maybe a separate issue. Possibly coincidence.

**Update**.  My tester confirmed Teams stopped working again.  He could authenticate but across the top he receives the 'we are not able to establish a connection'. I have seen this before.  This extension has been a big pain for some people. I have tickets open with Apple and Jamf. Can't pin point when or why this occurs.  But it's only Monterey and only Teams. Apple built my Extension which worked flawlessly until 12.x

GabeShack
Valued Contributor III

I see.  We are not a teams heavy district so I probably have not gone back to check that it worked after the first launch, but I do know teams is separately developed than the rest of the office apps.  

 

How are you installing the microsoft apps?  By app store or by the https://macadmins.software download package?  I use the latter, installing the business pro version during enrollment.

Gabe Shackney
Princeton Public Schools

and removing the profile Teams works again...Screen sharing images/pictures was blocked until we removed the profile. Very strange.
I used to use MAS for Office but the Update issue and asking for an Apple ID to do updates (users would enter their ID but it failed), caused us to remove the MAS office and reinstall from portal anyway.  in Catalina drove me away from that method. Now I download the entire suite from O365 portal, upload in Jamf and deploy as part of our DEP Notify workflow. The apps then update themselves. Of course I update the package as well. It works for now. I may test the MAS deployment again.

GabeShack
Valued Contributor III

@pueo 

Yea, from what I've been told its best to use the installers on macadmins

SO I just checked teams again, and i'm guessing between last week and this week an update hit that is breaking it.  When it worked for us, it would show a drop down menu with the user name already populated that you can click on.  Now Im seeing the same behavior as you describe.  I've reached out to microsoft as well.  What it looks like though is their Teams app is designed with non native apple developer tools.  It has elements of "Electron" which is horrible at making mac apps.  I cant even get an bundle identifier for teams if i do a osascript -e 'id of app "Microsoft Teams"' it errors out.  I know teams is a different division and doesnt seem to have a Natively developed mac app as well as the updater not being a part of the office updater pieces.  Its pretty bad.  All that being said, I wonder if one of the other processes that are running are what need to be added to the sso plist like Microsoft teams helper or the electron or squirrel processes.

Gabe Shackney
Princeton Public Schools

Hello @GabeShack 

Sorry for the delay, just pushing out my Nudge, Erase Install Monterey upgrade for past few days.

What you are experiencing is spot on to my random issue.  
It was pointed out to me this morning when people upgrade to Monterey the MS Extension is removed. I do recall adding that in to prevent a storm of requests especially from our CTO and other SVP's who live in various parts of the world. 
I tried with your extension on one machine where Teams did not work, and it just did not work at all. Remove the profile, Teams loads.

Apple are asking me who in Apple told me to use the SSO Extension since I have a ticket opened with them.

I have to figure out a way to put the extension back on but we rely heavily on Teams and can't afford to have people calling the SD about Teams not working.

pueo
Contributor II

A co worker sent me this regarding Teams:  Teams dropping Electron for Edge Webview 2 

Its not out yet, but we can hope.

Hey Gabe,
With above Plist, is SSO working with your Chrome, and Edge browser? No password prompts?

Any chance to find a way to make Chrome, and Edge working?

R_C
Contributor

Im having issues with SSO and Safari.

When trying to access myapplications.azure.us it just will not redirect to login.microsoftonline.us and just sits on a white page.

If I go directly to login.microsoftonline.us in Safari then the SSO appears to work and login without issue.

I also tested with the plist above to no avail.

Test system is macOS 11.6.

Anyone else experience similar issues?

Scott_Conway
New Contributor III

We have also been unable to get any version of the plist working for the SSO on the apps themselves.  We had opened a ticket with Microsoft about this and they mentioned that there is a known bug with Azure tokens and the Mac office apps, but the details were a little hazy.  They claimed a fix was on the way in October, but I don't have the fullest confidence.

The only place SSO is working for us is on the Microsoft websites.

Have you hear anything from Microsoft regarding the October Fix?

Recent testing of Azure and Office Apps using Azure SSO leads me to believe that nothing has been fixed, and your lack of confidence with MS is correctly placed.

Scott_Conway
New Contributor III

I haven't gotten any update from Microsoft (as I suspected). We have still been unable to get apps to use SSO.

mahesh2611
New Contributor

Hi n_lechi,

I have got SSO working for Office 365, Outlook, other apps and works fine with all browsers ( safari, chrome, mozilla, etc.)

You can try miniOrange SSO for the same.

We federated our domain and with some basic configuration we are ready with the SSO solution.

You may check SSO for Office 365.

TobiasO
New Contributor III

Hi Mahesh,

I am going to reply to this while it's an old topic, but advising to use a 3rd party paid software solution does not seem like a right solution here.

GabeShack
Valued Contributor III

I've just started getting back to this.  I have gotten all microsoft apps working and am working on making Jamf Connect become the boot strap for the sso.  

My few hiccups are, iCloud prompts twice for the federated apple id login (once with the system prompt and once with the SSO prompt), Adobe Creative Cloud just will not utilize the SSO even though this is also a federated account login.

All the Microsoft Apps are now completely logged in and instead of showing a drop down with the name, are just logged in correctly since the plist now has the "disable_explicit_app_prompt_and_autologin" key in place.   Zoom seems to just need one click and its logged in completely.  And all Safari logins are good to anything microsoft.

 

my plist for com.microsoft.CompanyPortalMac.plist is set as the following:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AppAllowList</key>
	<string>com.apple.SetupAssistant,com.adobe.AdobeIPCBroker,com.adobe.CRDaemon,com.adobe.ccd.helper,com.microsoft.Outlook,com.microsoft.teams,com.microsoft.OneDrive,com.microsoft.Word,com.microsoft.Excel,com.microsoft.Powerpoint,com.microsoft.onenote.mac,com.jamfsoftware.selfservice.mac,com.adobe.acc.AdobeCreativeCloud,com.adobe.acc.AdobeDesktopService,us.zoom.xos,zoom.us,com.jamf.connect.login,com.adobe.acc.installer.v2</string>
	<key>AppPrefixAllowList</key>
	<string>com.adobe.</string>
	<key>Enable_SSO_On_All_ManagedApps</key>
	<integer>1</integer>
	<key>browser_sso_disable_mfa</key>
	<integer>1</integer>
	<key>browser_sso_interaction_enabled</key>
	<integer>1</integer>
	<key>disable_explicit_app_prompt_and_autologin</key>
	<integer>1</integer>
</dict>
</plist>
Gabe Shackney
Princeton Public Schools

@GabeShack Is this documented by Microsoft somewhere? I'm wondering if this is officially supported yet by them.

Is MS Company Portal or Intune involved? Can we achieve SSO for MS apps with Jamf Pro / Azure AD / Jamf Connect?

GabeShack
Valued Contributor III

So I've essentially solved the Creative Cloud login issue by making creative cloud only authenticate through the default browser which at first login is Safari ; ) so now of course that works since Safari is working with the SSO!  Since switching the install of creative cloud to happen during enrollment complete, its preinstalled in the background before the user logs in and since switching it to browser based authentication it automatically opens a safari window on first login. Which then my 1st time user login script auto types their username into the browser and hits enter to authenticate Creative Cloud solving another no touch step.

In my above .plist settings you can remove all the "com.adobe" entries since they wont do anything.

 Still not getting chrome or firefox, and currently it looks like there is no way to pass the token from jamf connect to the user during the first login since the user gets created after jamf connect runs, but we are much closer to a "no touch" deployment.

 

EDIT: I just have to say I really do dislike this new Jamf Discussions.  It keeps posting my replies out of order...

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

@MrRoboto Yes, the one requirement is that the MS Company Portal app must be installed (it doesn't have to be setup at all or opened or used) on the machines for sso to work.

This is the disclaimer from Microsoft:

"This feature is in public preview. This preview is provided without a service-level agreement and isn't recommended for production workloads. Some features might be unsupported or have constrained capabilities. For more information, see Supplemental terms of use for Microsoft Azure previews."

 

@Scott_Conway 

Links to the documentation: (which I had to piecemeal from about 3 or 4 azure articles:

https://docs.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin

https://techcommunity.microsoft.com/t5/intune-customer-success/best-practice-examples-for-configurin...

https://docs.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-maco...

https://docs.microsoft.com/en-us/mem/intune/configuration/device-features-configure#single-sign-on-a...

Im now pushing the Microsoft Company Portal Installer along with the SSO configured configuration profile that includes the above xml plist options and until I can use jamf connect to be the boot strap, its using the iCloud login (since we use managed federated apple ids with Microsoft logins.  So we see a slight issue where it prompts them for their email and password twice in iCloud, but once that is done, everything else (aside from Creative Cloud) is logged completely in.

Here is the Config Profile we have working:

 

Screen Shot 2022-02-02 at 11.04.00 AM.png

 

Screen Shot 2022-02-02 at 11.04.07 AM.png

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

I should also note, I am only testing this on newly enrolled machines with 11.6.3 or 12.2.

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

I also am not getting Chrome or Firefox to work with this extension.  Im assuming the 3rd party mini orange has extra hooks for other apps (possibly browser extension add ons?).  I pinged @pbowden who was going to put me in touch with some teams that handle the different pieces of SSO at Microsoft, but I think he got busy again.

I've also tried to get Jamf Connect to tie in and am working with my CSM at Jamf to push the info toward that team in hopes of that whole "no touch" set up lol.

Still I'm unable to get Creative Cloud to utilize it but I'm guessing Adobe's mess of an app just isn't built correctly.  If I can figure a way to bounce the authentication process from Creative Cloud to safari then it can still be auto logged in, but I cant find any plist entries to make it open a safari window for authentication.

So all the things I have working with sso are:

1.  Our federated and Managed apple ids work to set the first SSO login on the device (albeit with a double prompt during setup assistant).

2.  All the microsoft office apps are already logged in and don't need you to even click on a name (still giving me the privacy warning from microsoft though so I'll have to go further into that).

3.  Zoom is already logged in when it gets opened...just need to click the main "Launch Zoom" button that shows when its opened and the user is already there without any passwords needed.

4.  Safari logs in to any microsoft logins without issue.

 

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

Fun update today....I got adobe creative cloud working now as well!  Just had to make the installer for it with the login from browser option enabled, and since we use federated accounts for adobe, as long as the email is typed in then its already logged in!  So now  I'm back to scripting the automation of the first login to type the email address for the logged in user into the field in the browser and hit enter.

Gabe Shackney
Princeton Public Schools

Hey Gabe,

What is your workflow? Where do your users first sign in? I've installed CP and added the config profile you've suggested above but all MS apps still require my users to log in. Do I need to install CP before the MS apps? 
Can CP get the credential from the Kerberos SSO Extension?  

GabeShack
Valued Contributor III

So I push the company portal app as an enrollment package in the prestage along with the office installer. I also push the config profile with the prestage as well. We use JAMF connect for a tie in to Microsoft azure and that is the first sign in screen however we can’t get JAMF connect to be the “boot strap” for the Microsoft sso.
The first sign in with a Microsoft account should hold the credentials and in our workflow it’s the iCloud sign in that triggers it all. Another slight glitch is that the iCloud sign in prompts for user name and password twice. Once for the sso plug-in and once for apples standard login. 

Just having the company portal app and config profile installed before the user logs in should be enough from what I’ve at least tested. 

hope that helps. 

Gabe Shackney
Princeton Public Schools

I've tried logging into Chrome, Safari and Outlook but regardless when I open Teams, OneDrive or Adobe CC it still prompts for username/email and password.

GabeShack
Valued Contributor III

I should also note that all of this still requires one successful login to create the boot strap. It needs one Microsoft sign in to happen. 

with creative cloud I created a universal installer package from Adobe admin that requires “browser based logins”. I have creative cloud install as an enrollment complete package so when the user logs in it auto opens a browser window to login to creative cloud. (We use federated o365 logins for creative cloud as well) I created a script that types the current users email address into the safari window and hits enter which then logs them in (due to them already having logged in with iCloud in the setup assistant). It’s a bit complex but works great. 

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

Also chrome doesn’t support the Microsoft sso so far that I can tell at this point. 

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

@djrory here is a screen shot of our sso config profile. It has a ton of extra stuff in the app approval settings that aren’t needed (you can lose all the Adobe stuff as it doesn’t work as well as the chrome and Firefox stuff.  But use redirect and not Kerberos as seen below. 

GabeShack_0-1644898240414.png

GabeShack_1-1644898299515.png

GabeShack_2-1644898382075.png

GabeShack_3-1644898427090.png

GabeShack_4-1644898524094.png

 

Gabe Shackney
Princeton Public Schools

Thanks Gabe that's really helpful. 
I've replicated pretty much everything above but I'm finding the actual PLIST file does not seem to take? Am I looking at the right plist? 

Screen Shot 2022-02-15 at 3.22.24 pm.pngScreen Shot 2022-02-15 at 3.24.13 pm.png

GabeShack
Valued Contributor III

You should just create it from scratch and set the keys with the “defaults” command, but before you upload it into the config profile you have to convert the file with this command 

plutil -convert xml1 ~/Desktop/com.microsoft.CompanyPortalMac.plist

Gabe Shackney
Princeton Public Schools

I did convert it, but I didn't create from scratch. I'll give that a go now. Cheers

GabeShack
Valued Contributor III

I actually haven’t checked the plist that gets written after but it shouldn’t matter. 

when I’m back in the office tomorrow I’ll take a look. Also I’m wondering if my Microsoft setting config profile is helping in my case. I have another config just to set up the Microsoft apps 

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

Another note, Im not sure if this affects our workflow vs other workflows, but upon first opening of word I have a script that runs which sets a default email activation setting to word...wondering if that is affecting this in any way.  We see no issues with this (although I cant seem to get rid of the privacy screen for microsoft no matter what settings I try in our microsoft autoupdate and app settings config profile).

 

#!/bin/bash 
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
domain=$"@yourdomain.org"
sudo -u $currentUser defaults write com.microsoft.office OfficeActivationEmailAddress -string "$currentUser$domain"
sleep 2
sudo -u $currentUser open "/Applications/Microsoft Word.app"
sleep 5

 

Gabe Shackney
Princeton Public Schools

TobiasO
New Contributor III

After updating my MacOS to 12.2.1 this no longer seems to work for me. Upon registering the device to intune, and signing in, the last part of Safari would automatically sign in. (The part where you get a popup to press Continue)
This now required me to enter a password.

Office apps and my VPN client also no longer get SSO. 

Anyone experiences the same, and/or has found a workaround/solution yet?

GabeShack
Valued Contributor III

Im using 12.2.1 and it is seeming to work properly (aside from the dumb teams piece).  However we do not use intune so not sure about that side of it.  We just push the authenticator app and use the sso config profile and its been working well.

Gabe Shackney
Princeton Public Schools

TobiasO
New Contributor III

Hi Gabe, 

 

I didn't notice anything at first, only after doing a fresh install.

 

If you have a chance, could you see if you get the same behavior on a fresh install? 

 

I'm using a similar config as you have through Jamf. Straight after the update I did a factory reset and it broke for me. 

 

Much appreciated!

 

-Tobias

GabeShack
Valued Contributor III

We are using both the erase-install script and using the wipe command from jamf directly when we re-enroll devices.  This is still working for us as of the 10 we erased today.

Gabe Shackney
Princeton Public Schools

TobiasO
New Contributor III

Looks like it had something to do with my home network. It works again at the office!