Microsoft Enterprise SSO plug-in for Apple devices
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-21-2021 08:03 AM
I'm testing this MS plug-in for SSO
It works fine with Safari, but I'm not able to use it with Desktop-Apps like Office 365 ones.
Anyone have experience in SSO in Office 365 apps?
- Labels:
-
Microsoft Intune
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-15-2022 01:59 PM
Ive done a little reworking of our install order and now I'm seeing the sso piece being broken again in 12.3. I previously had the company portal app in the prestage packages to install, but now moved it to happen after enrollment, and perhaps thats the issue, but on a 12.3 install im not getting any indication that sso is working.
Princeton Public Schools
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-03-2022 05:00 AM
Is anyone able to get this working for Office apps or OneDrive?
Even using the simple example plist that MS provides, I'm not able to get it to work for Office.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AppPrefixAllowList</key>
<string>com.microsoft.,com.apple.</string>
<key>browser_sso_interaction_enabled</key>
<integer>1</integer>
<key>disable_explicit_app_prompt</key>
<integer>1</integer>
</dict>
</plist>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-25-2022 02:55 AM
I am gone away with other test, with macOS Ventura too. SSO now seems works better, but it require again authentication to the first App.
Now using Jamf Connect Login with only 1 authentication the user can:
1. Enroll the Mac (ADE) with Azure credential
2. Create local account
3. Login the user
4. Connect Jamf Connect (menu Bar)
So, the Enrollment is complete, with 1 authentication requesy only
The problem starts with configuration:
1. Company Portal Registration requests another authetication plus authorization for JamfAAD access to key "MS Workplace Join Key"
2. Than, the first App opened requeste again authentication
I'm looking for a streamline process for enrollment and configuration in one shot authentication. Any idea?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-26-2022 01:53 PM
Hello.
Are you using the new SSO Apple are baking into Venture for a streamlined login experience or the SSO Profile you can configure for Applications like Safari, MS apps - teams, outlook etc?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-14-2022 08:04 AM
Hi there, I have configured the SSOE with redirection to MS servers to authenticate through Azure and so far, it works pretty well with Safari and local MS apps. However, when SSOE is enabled, I am unable to log into my JamfCloud instance through Safari, always notifying me that SSO has Expired. Any thoughts ? I already cleared all Safari cookies and privacy stuff but same issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-30-2022 12:39 AM
I get the same here @Karl941 , did you ever get anywhere with this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-30-2022 06:01 AM
Still not unfortunately. Anyone in this group maybe ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2023 09:52 AM
I managed to get it working. I believe this was due to groups in the LDAP group membership. It saw I was in one group, that does not have access, but a "later" group does, it ignores that and takes the first group membership.
We fixed it by removing the catch all group we had that was used for enrollment. Since then it works fine. Alternatively name your main jamf admin group AAAAA_Group_Name so it is seen first ;)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-02-2023 10:51 AM
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AppPrefixAllowList</key>
<string>com.microsoft.,com.apple.,com.adobe.,com.jam.,com.jamfsoftware.,com.jamf.</string>
<key>AppAllowList</key>
<string>com.microsoft.Outlook,com.microsoft.teams,com.microsoft.OneDrive,com.microsoft.edgemac</string>
<key>browser_sso_interaction_enabled</key>
<integer>1</integer>
<key>browser_sso_disable_mfa</key>
<integer>1</integer>
<key>disable_explicit_app_prompt_and_autologin</key>
<integer>1</integer>
</dict>
</plist>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2023 12:57 AM - edited 03-20-2023 01:00 AM
Good morning,
Has anyone here continued testing and using the Microsoft Enterprise SSO Plugin? For my part, I followed this Microsoft procedure:
https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-macos-with-int...
By installing the Company Portal app through Jamf, then installing the following configuration profile
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AppAllowList</key>
<string>com.microsoft.Outlook,com.microsoft.teams,com.microsoft.OneDrive,com.microsoft.Word,com.microsoft.Excel,com.microsoft.Powerpoint,com.microsoft.onenote.mac,com.microsoft.Yammer,com.microsoft.edgemac,com.microsoft.edgemac.local,com.microsoft.msedge,com.microsoft.rdc.macos,com.jamfsoftware.selfservice.mac</string>
<key>AppPrefixAllowList</key>
<string>com.microsoft.,com.apple.,com.adobe.,com.jamfsoftware.,com.jamf.</string>
<key>browser_sso_disable_mfa</key>
<integer>1</integer>
<key>browser_sso_interaction_enabled</key>
<integer>1</integer>
<key>disable_explicit_app_prompt_and_autologin</key>
<integer>1</integer>
</dict>
</plist>
It works on macOS 13.2.1, I haven't noticed any bugs yet. Do you know if it is possible to extend it on Firefox or Chrome today?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2023 06:21 AM
Hi @leobrt
If you're using AzureAD as IDP to authenticate into your JamfCloud instance, how's SSO work with your configuration and Safari please?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2023 06:37 AM
Hi @Karl941 ,
We don't currently use it, despite having incorporated it into my configuration profile. Following the Jamf and Microsoft documentation you did not succeed?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2023 01:29 PM
Nope the SSO will work for 8 hours and then it will always fail to SSO because of the token expiration, SSO does not renew it (Jamf SSO error message). I cleared everything from Safari but it did not fix it. I was thus curious to know about how it behaved to other members of the Jamf community?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-11-2023 03:02 PM
Hey JAMF experts,
The attached plist is working SSO for us in Safari, but it's not working for Chrome, Edge. Any solution or someone could find a workaround?
<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
<key>AppPrefixAllowList</key>
<string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.</string>
<key>browser_sso_interaction_enabled</key>
<integer>1</integer>
<key>disable_explicit_app_prompt</key>
<integer>1</integer>
</dict>
</plist>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-12-2023 12:23 PM
Currently you don't with FF, Brave and Chrome.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-12-2023 12:19 PM
Hey All
Following this thread is confusing as posts are not in order by date but we will see who reads this and has some information.
Every so often I spend time with the SSO profile then move onto other things. It mostly works on my test computers except for FF and Chrome (I knew about years ago when Apple mentioned it me during a Pro D session).
Anyway....private browsing...is there a setting to NOT have the SSO settings replicate to a private browser session? My boss said SSO for general stuff is great, but what about Private Browsing? Can we add a <key> to prevent SSO in private browsers (test other accounts etc)?
Cheers
Ash
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-09-2023 06:04 AM
It doesnt look like chrome or Firefox have built any support in for the microsoft sso. However we did find a good extension in chrome to keep them logged in called "Windows Accounts".
Princeton Public Schools
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2023 09:44 AM
Hello @GabeShack
The reviews for the plug in are very mixed. How is the extension working for your environment? We have an Azure environment with Chrome being our 'default' browser followed by Edge.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-08-2023 06:35 AM - edited 06-08-2023 06:38 AM
I have a shared iPad setup, and when the SSO plugin is enabled, the Teams app won't sign in at all. It gives the following error: Something went wrong. The device is not set-up properly. When the SSO policy is turned off, I can sign in normally. Any ideas? I've tried to exclude the Teams bundle ID, but nothing seems to work.
Currently I have the following keys:
AppPrefixAllowList: com.microsoft.,com.apple.
disable_explicit_app_prompt
browser_sso_interaction_enabled
disable_explicit_app_prompt_and_autologin
Enable_SSO_On_All_ManagedApps
browser_sso_disable_mfa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-08-2023 06:43 AM
The requirement for the iPads is also having the Microsoft Authenticator app installed.More info here. https://learn.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin
Im actually exploring switching away from this and seeing if i can implement the apple soo instead.
Princeton Public Schools
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-08-2023 06:49 AM
Yeah, Authenticator is deployed. SSO in the safari browser works just fine. For the Teams app i have to manually enter the username, it doesn't matter what username I enter, clicking next always generates the same error.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-08-2023 09:03 AM
Enterprise SSO was working fine during Preview and General Release up until this week. Now only works with Teams and Safari. All installed apps (Word, Excel, Powerpoint, Outlook) experience a sign in or network error. I downloaded the troubleshooting scripts, passes all tests. Issue happens on new or existing macOS install. JSS config profile is exactly the same as documentation. I just opened a support case and waiting to hear back. Has anyone else noticed things completely breaking this week?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-08-2023 02:17 PM
We're seeing the same thing. We've just started testing Jamf Connect and Enterprise SSO Extension. Thought the login issues in MS apps was related to our Conditional Access MFA policy, but works fine in Safari and Teams indeed... Seems to be a widespread issue. Could it be related to Jamf Connect 2.24.0? Since it worked for you earlier?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2023 05:37 AM
We are not using Jamf connect at all but facing the same issue this week.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2023 05:38 AM
Yeah, it's not Connect. Tried with 2.23.0 and a few older versions without luck. Seems to be tied to the SSO Extension. Connect is unrelated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-08-2023 04:13 PM
Confirming we are seeing a similar issue when trying to log into OneDrive, Server error 2605 paired with a keychain error. Seems to have just come up this week. Azure sign in logs report OneDrive syncengine error.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-13-2023 05:36 AM
12 hours ago, I experienced this and just called it a night, put the mac to sleep. I wake it up now, and SSO just worked. Not sure if it's just fixed by now or what.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2023 05:34 AM
Noticed the same in our environment today :(
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-12-2023 02:25 AM
Please keep us informed about the case if you hear anything back :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-12-2023 09:01 AM
No updates on my MS support case. There are some updates from MS staff on MacAdmins Slack #microsoft-aad..
We've identified a breaking service change that is causing this issue thanks to those logs. We're evaluating the impact and mitigation options right now.
The issue is caused by a server side regression, shipped around 6/8. We're working on a server side mitigation of the regression, and I'll keep this thread updated on the progress.
Yes, temporarily un-scoping SSO extension for impacted Office apps and users would be a workaround for now.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-12-2023 11:25 PM
thanks you for the update and keep us posted on the progress :) Really appreciated! ❤️
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-14-2023 02:02 AM
It started to work I our environment today
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-14-2023 07:17 AM
Seems to work here as well. Won’t roll out SSOE in production until it’s been stable for a while though.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-26-2023 04:40 AM
We are having a few issues with the Extension on 12.6.6. We have followed the guidance from Microsoft. We are not using Jamf Connect. We are doing the initial sign-in via Safari (microsoft365.com) but then finding that other Microsoft apps do not immediately sign-in. Only after quitting and relaunching these apps are we signed in and even then, it does not silently auto sign us in to all apps. For Office apps, it will silently sign us in however for OneDrive and Teams it will only pre-populate the username field - we then have to click Login. We do have additional policies set for OneDrive.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-26-2023 04:48 AM
For OneDrive and Teams, this is expected, the sign in webview implementation must be different than the rest of Office and isn't fully compatible with the plugin.
With the plugin, to get the initial PRT or "SSO token", the sign-in must be done through a compatible app, not a browser.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-26-2023 07:55 AM - edited 06-26-2023 08:11 AM
Taken from the below URL:
Not all Microsoft first-party native applications use the MSAL framework. At the time of this article's publication, most of the Microsoft Office macOS applications still rely on the older ADAL library framework, and thus rely on the Browser SSO flow.
Which means it has to be a browser (safari) that is used initially to generate the token. Which is fine... We launch Safari and are greeted with the SSO pop-up - which we then sign into.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-26-2023 08:06 AM - edited 06-26-2023 08:12 AM
Ah, yes, you can bootstrap the PRT with Safari when you have enabled browser_sso_interaction_enabled.
Edit:
Bootstrapping doesn’t need to be done with Safari, you can get a PRT from any app that uses MSAL.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-27-2023 10:02 AM
Based on what I've seen from Okta, it looks like Platform SSO will soon be a replacement for this plug-in. I'm just going to wait until MS supports Platform SSO. I haven't had much luck with the plug-in.