Microsoft Enterprise SSO plug-in for Apple devices

n_lecchi
Contributor

I'm testing this MS plug-in for SSO

It works fine with Safari, but I'm not able to use it with Desktop-Apps like Office 365 ones.

Anyone have experience in SSO in Office 365 apps?

117 REPLIES 117

GabeShack
Valued Contributor III

Ive done a little reworking of our install order and now I'm seeing the sso piece being broken again in 12.3.  I previously had the company portal app in the prestage packages to install, but now moved it to happen after enrollment, and perhaps thats the issue, but on a 12.3 install im not getting any indication that sso is working.

Gabe Shackney
Princeton Public Schools

btowns
New Contributor III

Is anyone able to get this working for Office apps or OneDrive?

Even using the simple example plist that MS provides, I'm not able to get it to work for Office.

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AppPrefixAllowList</key>
<string>com.microsoft.,com.apple.</string>
<key>browser_sso_interaction_enabled</key>
<integer>1</integer>
<key>disable_explicit_app_prompt</key>
<integer>1</integer>
</dict>
</plist>

n_lecchi
Contributor

I am gone away with other test, with macOS Ventura too. SSO now seems works better, but it require again authentication to the first App.

Now using Jamf Connect Login with only 1 authentication the user can:
1. Enroll the Mac (ADE) with Azure credential
2. Create local account
3. Login the user
4. Connect Jamf Connect (menu Bar)
So, the Enrollment is complete, with 1 authentication requesy only

The problem starts with configuration:
1. Company Portal Registration requests another authetication plus authorization for JamfAAD access to key "MS Workplace Join Key"
2. Than, the first App opened requeste again authentication

I'm looking for a streamline process for enrollment and configuration in one shot authentication. Any idea?

pueo
Contributor II

Hello.  
Are you using the new SSO Apple are baking into Venture for a streamlined login experience or the SSO Profile you can configure for Applications like Safari, MS apps - teams, outlook etc?

Karl941
New Contributor III

Hi there, I have configured the SSOE with redirection to MS servers to authenticate through Azure and so far, it works pretty well with Safari and local MS apps. However, when SSOE is enabled, I am unable to log into my JamfCloud instance through Safari, always notifying me that SSO has Expired. Any thoughts ? I already cleared all Safari cookies and privacy stuff but same issue.

I get the same here @Karl941 , did you ever get anywhere with this?

Karl941
New Contributor III

Still not unfortunately. Anyone in this group maybe ?

I managed to get it working. I believe this was due to groups in the LDAP group membership. It saw I was in one group, that does not have access, but a "later" group does, it ignores that and takes the first group membership.
We fixed it by removing the catch all group we had that was used for enrollment. Since then it works fine. Alternatively name your main jamf admin group AAAAA_Group_Name so it is seen first ;)

bwoods
Valued Contributor
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AppPrefixAllowList</key>
    <string>com.microsoft.,com.apple.,com.adobe.,com.jam.,com.jamfsoftware.,com.jamf.</string>
    <key>AppAllowList</key>
    <string>com.microsoft.Outlook,com.microsoft.teams,com.microsoft.OneDrive,com.microsoft.edgemac</string>
    <key>browser_sso_interaction_enabled</key>
    <integer>1</integer>
    <key>browser_sso_disable_mfa</key>
    <integer>1</integer>
    <key>disable_explicit_app_prompt_and_autologin</key>
    <integer>1</integer>
</dict>
</plist>

leobrt
New Contributor III

Good morning,
Has anyone here continued testing and using the Microsoft Enterprise SSO Plugin? For my part, I followed this Microsoft procedure:
https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-macos-with-int...
By installing the Company Portal app through Jamf, then installing the following configuration profile

Capture d’écran 2023-03-20 à 08.47.52.pngCapture d’écran 2023-03-20 à 08.48.01.png

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AppAllowList</key>
	<string>com.microsoft.Outlook,com.microsoft.teams,com.microsoft.OneDrive,com.microsoft.Word,com.microsoft.Excel,com.microsoft.Powerpoint,com.microsoft.onenote.mac,com.microsoft.Yammer,com.microsoft.edgemac,com.microsoft.edgemac.local,com.microsoft.msedge,com.microsoft.rdc.macos,com.jamfsoftware.selfservice.mac</string>
	<key>AppPrefixAllowList</key>
	<string>com.microsoft.,com.apple.,com.adobe.,com.jamfsoftware.,com.jamf.</string>
	<key>browser_sso_disable_mfa</key>
	<integer>1</integer>
	<key>browser_sso_interaction_enabled</key>
	<integer>1</integer>
	<key>disable_explicit_app_prompt_and_autologin</key>
	<integer>1</integer>
</dict>
</plist>

 


It works on macOS 13.2.1, I haven't noticed any bugs yet. Do you know if it is possible to extend it on Firefox or Chrome today?

Karl941
New Contributor III

Hi @leobrt 

If you're using AzureAD as IDP to authenticate into your JamfCloud instance, how's SSO work with your configuration and Safari please?  

leobrt
New Contributor III

Hi @Karl941 ,
We don't currently use it, despite having incorporated it into my configuration profile. Following the Jamf and Microsoft documentation you did not succeed?

Karl941
New Contributor III

Nope the SSO will work for 8 hours and then it will always fail to SSO because of the token expiration, SSO does not renew it (Jamf SSO error message). I cleared everything from Safari but it did not fix it. I was thus curious to know about how it behaved to other members of the Jamf community?

ali_fadavinia
New Contributor III

Hey JAMF experts,

The attached plist is working SSO for us in Safari, but it's not working for Chrome, Edge. Any solution or someone could find a workaround?


<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
<key>AppPrefixAllowList</key>
<string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.</string>
<key>browser_sso_interaction_enabled</key>
<integer>1</integer>
<key>disable_explicit_app_prompt</key>
<integer>1</integer>
</dict>
</plist>

Currently you don't with FF, Brave and Chrome.

pueo
Contributor II

Hey All

Following this thread is confusing as posts are not in order by date but we will see who reads this and has some information.

Every so often I spend time with the SSO profile then move onto other things.  It mostly works on my test computers except for FF and Chrome (I knew about years ago when Apple mentioned it me during a Pro D session). 

Anyway....private browsing...is there a setting to NOT have the SSO settings replicate to a private browser session?  My boss said SSO for general stuff is great, but what about Private Browsing?  Can we add a <key> to prevent SSO in private browsers (test other accounts etc)?

Cheers

Ash

GabeShack
Valued Contributor III

It doesnt look like chrome or Firefox have built any support in for the microsoft sso.  However we did find a good extension in chrome to keep them logged in called "Windows Accounts".  

Gabe Shackney
Princeton Public Schools

Hello @GabeShack 
The reviews for the plug in are very mixed.  How is the extension working for your environment?  We have an Azure environment with Chrome being our 'default' browser followed by Edge. 

arcit
New Contributor

I have a shared iPad setup, and when the SSO plugin is enabled, the Teams app won't sign in at all. It gives the following error: Something went wrong. The device is not set-up properly. When the SSO policy is turned off, I can sign in normally. Any ideas? I've tried to exclude the Teams bundle ID, but nothing seems to work.

 

Currently I have the following keys:

AppPrefixAllowList: com.microsoft.,com.apple.
disable_explicit_app_prompt
browser_sso_interaction_enabled
disable_explicit_app_prompt_and_autologin
Enable_SSO_On_All_ManagedApps
browser_sso_disable_mfa

GabeShack
Valued Contributor III

The requirement for the iPads is also having the Microsoft Authenticator app installed.More info here. https://learn.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin

Im actually exploring switching away from this and seeing if i can implement the apple soo instead.

Gabe Shackney
Princeton Public Schools

arcit
New Contributor

Yeah, Authenticator is deployed. SSO in the safari browser works just fine. For the Teams app i have to manually enter the username, it doesn't matter what username I enter, clicking next always generates the same error.

MrRoboto
Contributor III

Enterprise SSO was working fine during Preview and General Release up until this week. Now only works with Teams and Safari. All installed apps (Word, Excel, Powerpoint, Outlook) experience a sign in or network error. I downloaded the troubleshooting scripts, passes all tests. Issue happens on new or existing macOS install. JSS config profile is exactly the same as documentation. I just opened a support case and waiting to hear back. Has anyone else noticed things completely breaking this week?

kennetha
New Contributor III

We're seeing the same thing. We've just started testing Jamf Connect and Enterprise SSO Extension. Thought the login issues in MS apps was related to our Conditional Access MFA policy, but works fine in Safari and Teams indeed... Seems to be a widespread issue. Could it be related to Jamf Connect 2.24.0? Since it worked for you earlier?

MALmen
New Contributor III

We are not using Jamf connect at all but facing the same issue this week.

kennetha
New Contributor III

Yeah, it's not Connect. Tried with 2.23.0 and a few older versions without luck. Seems to be tied to the SSO Extension. Connect is unrelated.

Confirming we are seeing a similar issue when trying to log into OneDrive, Server error 2605 paired with a keychain error. Seems to have just come up this week. Azure sign in logs report OneDrive syncengine error.

Authentication requirement
Single-factor authentication
Status
Failure
Continuous access evaluation
No
Sign-in error code
50000
Failure reason
There was an error issuing a token or an issue with our sign-in service.
 

12 hours ago, I experienced this and just called it a night, put the mac to sleep. I wake it up now, and SSO just worked. Not sure if it's just fixed by now or what. 

MALmen
New Contributor III

Noticed the same in our environment today :(

MALmen
New Contributor III

Please keep us informed about the case if you hear anything back :)

MrRoboto
Contributor III

No updates on my MS support case. There are some updates from MS staff on MacAdmins Slack #microsoft-aad..

We've identified a breaking service change that is causing this issue thanks to those logs. We're evaluating the impact and mitigation options right now.

The issue is caused by a server side regression, shipped around 6/8. We're working on a server side mitigation of the regression, and I'll keep this thread updated on the progress.

Yes, temporarily un-scoping SSO extension for impacted Office apps and users would be a workaround for now.

MALmen
New Contributor III

thanks you for the update and keep us posted on the progress :) Really appreciated! ❤️

MALmen
New Contributor III

It started to work I our environment today

kennetha
New Contributor III

Seems to work here as well. Won’t roll out SSOE in production until it’s been stable for a while though.

GrahamRiley
New Contributor

We are having a few issues with the Extension on 12.6.6. We have followed the guidance from Microsoft. We are not using Jamf Connect. We are doing the initial sign-in via Safari (microsoft365.com) but then finding that other Microsoft apps do not immediately sign-in. Only after quitting and relaunching these apps are we signed in and even then, it does not silently auto sign us in to all apps. For Office apps, it will silently sign us in however for OneDrive and Teams it will only pre-populate the username field - we then have to click Login. We do have additional policies set for OneDrive.

btowns
New Contributor III

For OneDrive and Teams, this is expected, the sign in webview implementation must be different than the rest of Office and isn't fully compatible with the plugin.

With the plugin, to get the initial PRT or "SSO token", the sign-in must be done through a compatible app, not a browser.

Taken from the below URL:

https://learn.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-mac-sso-extension-plug...


Not all Microsoft first-party native applications use the MSAL framework. At the time of this article's publication, most of the Microsoft Office macOS applications still rely on the older ADAL library framework, and thus rely on the Browser SSO flow.

Which means it has to be a browser (safari) that is used initially to generate the token. Which is fine... We launch Safari and are greeted with the SSO pop-up - which we then sign into.

btowns
New Contributor III

Ah, yes, you can bootstrap the PRT with Safari when you have enabled browser_sso_interaction_enabled.

Edit:
Bootstrapping doesn’t need to be done with Safari, you can get a PRT from any app that uses MSAL.

bwoods
Valued Contributor

Based on what I've seen from Okta, it looks like Platform SSO will soon be a replacement for this plug-in. I'm just going to wait until MS supports Platform SSO. I haven't had much luck with the plug-in.