Jamf Nation Community

n_lecchi · ‎04-21-2021

It works fine with Safari, but I'm not able to use it with Desktop-Apps like Office 365 ones.

Anyone have experience in SSO in Office 365 apps?

GabeShack · ‎03-15-2022

Ive done a little reworking of our install order and now I'm seeing the sso piece being broken again in 12.3. I previously had the company portal app in the prestage packages to install, but now moved it to happen after enrollment, and perhaps thats the issue, but on a 12.3 install im not getting any indication that sso is working.

Gabe Shackney
Princeton Public Schools

btowns · ‎06-03-2022

Is anyone able to get this working for Office apps or OneDrive?

Even using the simple example plist that MS provides, I'm not able to get it to work for Office.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AppPrefixAllowList</key>
<string>com.microsoft.,com.apple.</string>
<key>browser_sso_interaction_enabled</key>
<integer>1</integer>
<key>disable_explicit_app_prompt</key>
<integer>1</integer>
</dict>
</plist>

n_lecchi · ‎08-25-2022

I am gone away with other test, with macOS Ventura too. SSO now seems works better, but it require again authentication to the first App.

Now using Jamf Connect Login with only 1 authentication the user can:
1. Enroll the Mac (ADE) with Azure credential
2. Create local account
3. Login the user
4. Connect Jamf Connect (menu Bar)
So, the Enrollment is complete, with 1 authentication requesy only

The problem starts with configuration:
1. Company Portal Registration requests another authetication plus authorization for JamfAAD access to key "MS Workplace Join Key"
2. Than, the first App opened requeste again authentication

I'm looking for a streamline process for enrollment and configuration in one shot authentication. Any idea?

pueo · ‎08-26-2022

Hello.
Are you using the new SSO Apple are baking into Venture for a streamlined login experience or the SSO Profile you can configure for Applications like Safari, MS apps - teams, outlook etc?

Karl941 · ‎11-14-2022

Hi there, I have configured the SSOE with redirection to MS servers to authenticate through Azure and so far, it works pretty well with Safari and local MS apps. However, when SSOE is enabled, I am unable to log into my JamfCloud instance through Safari, always notifying me that SSO has Expired. Any thoughts ? I already cleared all Safari cookies and privacy stuff but same issue.

charliwest · ‎11-30-2022

I get the same here @Karl941 , did you ever get anywhere with this?

Karl941 · ‎11-30-2022

Still not unfortunately. Anyone in this group maybe ?

charliwest · ‎03-20-2023

I managed to get it working. I believe this was due to groups in the LDAP group membership. It saw I was in one group, that does not have access, but a "later" group does, it ignores that and takes the first group membership.
We fixed it by removing the catch all group we had that was used for enrollment. Since then it works fine. Alternatively name your main jamf admin group AAAAA_Group_Name so it is seen first ;)

bwoods · ‎03-02-2023

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AppPrefixAllowList</key>
    <string>com.microsoft.,com.apple.,com.adobe.,com.jam.,com.jamfsoftware.,com.jamf.</string>
    <key>AppAllowList</key>
    <string>com.microsoft.Outlook,com.microsoft.teams,com.microsoft.OneDrive,com.microsoft.edgemac</string>
    <key>browser_sso_interaction_enabled</key>
    <integer>1</integer>
    <key>browser_sso_disable_mfa</key>
    <integer>1</integer>
    <key>disable_explicit_app_prompt_and_autologin</key>
    <integer>1</integer>
</dict>
</plist>

leobrt · ‎03-20-2023

Good morning,
Has anyone here continued testing and using the Microsoft Enterprise SSO Plugin? For my part, I followed this Microsoft procedure:
https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-macos-with-int...
By installing the Company Portal app through Jamf, then installing the following configuration profile

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AppAllowList</key>
	<string>com.microsoft.Outlook,com.microsoft.teams,com.microsoft.OneDrive,com.microsoft.Word,com.microsoft.Excel,com.microsoft.Powerpoint,com.microsoft.onenote.mac,com.microsoft.Yammer,com.microsoft.edgemac,com.microsoft.edgemac.local,com.microsoft.msedge,com.microsoft.rdc.macos,com.jamfsoftware.selfservice.mac</string>
	<key>AppPrefixAllowList</key>
	<string>com.microsoft.,com.apple.,com.adobe.,com.jamfsoftware.,com.jamf.</string>
	<key>browser_sso_disable_mfa</key>
	<integer>1</integer>
	<key>browser_sso_interaction_enabled</key>
	<integer>1</integer>
	<key>disable_explicit_app_prompt_and_autologin</key>
	<integer>1</integer>
</dict>
</plist>

It works on macOS 13.2.1, I haven't noticed any bugs yet. Do you know if it is possible to extend it on Firefox or Chrome today?

Karl941 · ‎03-20-2023

Hi @leobrt

If you're using AzureAD as IDP to authenticate into your JamfCloud instance, how's SSO work with your configuration and Safari please?

leobrt · ‎03-20-2023

Hi @Karl941 ,
We don't currently use it, despite having incorporated it into my configuration profile. Following the Jamf and Microsoft documentation you did not succeed?

Karl941 · ‎03-21-2023

Nope the SSO will work for 8 hours and then it will always fail to SSO because of the token expiration, SSO does not renew it (Jamf SSO error message). I cleared everything from Safari but it did not fix it. I was thus curious to know about how it behaved to other members of the Jamf community?

ali_fadavinia · ‎04-11-2023

Hey JAMF experts,

The attached plist is working SSO for us in Safari, but it's not working for Chrome, Edge. Any solution or someone could find a workaround?

<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
<key>AppPrefixAllowList</key>
<string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.</string>
<key>browser_sso_interaction_enabled</key>
<integer>1</integer>
<key>disable_explicit_app_prompt</key>
<integer>1</integer>
</dict>
</plist>

pueo · ‎04-12-2023

Currently you don't with FF, Brave and Chrome.

pueo · ‎04-12-2023

Hey All

Following this thread is confusing as posts are not in order by date but we will see who reads this and has some information.

Every so often I spend time with the SSO profile then move onto other things. It mostly works on my test computers except for FF and Chrome (I knew about years ago when Apple mentioned it me during a Pro D session).

Anyway....private browsing...is there a setting to NOT have the SSO settings replicate to a private browser session? My boss said SSO for general stuff is great, but what about Private Browsing? Can we add a <key> to prevent SSO in private browsers (test other accounts etc)?

Cheers

Ash

GabeShack · ‎05-09-2023

It doesnt look like chrome or Firefox have built any support in for the microsoft sso. However we did find a good extension in chrome to keep them logged in called "Windows Accounts".

Gabe Shackney
Princeton Public Schools

pueo · ‎05-12-2023

Hello @GabeShack
The reviews for the plug in are very mixed. How is the extension working for your environment? We have an Azure environment with Chrome being our 'default' browser followed by Edge.

arcit · ‎06-08-2023

I have a shared iPad setup, and when the SSO plugin is enabled, the Teams app won't sign in at all. It gives the following error: Something went wrong. The device is not set-up properly. When the SSO policy is turned off, I can sign in normally. Any ideas? I've tried to exclude the Teams bundle ID, but nothing seems to work.

Currently I have the following keys:

AppPrefixAllowList: com.microsoft.,com.apple.
disable_explicit_app_prompt
browser_sso_interaction_enabled
disable_explicit_app_prompt_and_autologin
Enable_SSO_On_All_ManagedApps
browser_sso_disable_mfa

GabeShack · ‎06-08-2023

The requirement for the iPads is also having the Microsoft Authenticator app installed.More info here. https://learn.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin

Im actually exploring switching away from this and seeing if i can implement the apple soo instead.

Gabe Shackney
Princeton Public Schools

arcit · ‎06-08-2023

Yeah, Authenticator is deployed. SSO in the safari browser works just fine. For the Teams app i have to manually enter the username, it doesn't matter what username I enter, clicking next always generates the same error.

MrRoboto · ‎06-08-2023

Enterprise SSO was working fine during Preview and General Release up until this week. Now only works with Teams and Safari. All installed apps (Word, Excel, Powerpoint, Outlook) experience a sign in or network error. I downloaded the troubleshooting scripts, passes all tests. Issue happens on new or existing macOS install. JSS config profile is exactly the same as documentation. I just opened a support case and waiting to hear back. Has anyone else noticed things completely breaking this week?

kennetha · ‎06-08-2023

We're seeing the same thing. We've just started testing Jamf Connect and Enterprise SSO Extension. Thought the login issues in MS apps was related to our Conditional Access MFA policy, but works fine in Safari and Teams indeed... Seems to be a widespread issue. Could it be related to Jamf Connect 2.24.0? Since it worked for you earlier?

MALmen · ‎06-09-2023

We are not using Jamf connect at all but facing the same issue this week.

kennetha · ‎06-09-2023

Yeah, it's not Connect. Tried with 2.23.0 and a few older versions without luck. Seems to be tied to the SSO Extension. Connect is unrelated.

djrory · ‎06-08-2023

Confirming we are seeing a similar issue when trying to log into OneDrive, Server error 2605 paired with a keychain error. Seems to have just come up this week. Azure sign in logs report OneDrive syncengine error.

Authentication requirement

Single-factor authentication

Status

Failure

Continuous access evaluation

No

Sign-in error code

50000

Failure reason

There was an error issuing a token or an issue with our sign-in service.

linknandez · ‎06-13-2023

12 hours ago, I experienced this and just called it a night, put the mac to sleep. I wake it up now, and SSO just worked. Not sure if it's just fixed by now or what.

MALmen · ‎06-09-2023

Noticed the same in our environment today :(

MALmen · ‎06-12-2023

Please keep us informed about the case if you hear anything back :)

MrRoboto · ‎06-12-2023

No updates on my MS support case. There are some updates from MS staff on MacAdmins Slack #microsoft-aad..

We've identified a breaking service change that is causing this issue thanks to those logs. We're evaluating the impact and mitigation options right now.

The issue is caused by a server side regression, shipped around 6/8. We're working on a server side mitigation of the regression, and I'll keep this thread updated on the progress.

Yes, temporarily un-scoping SSO extension for impacted Office apps and users would be a workaround for now.

MALmen · ‎06-12-2023

thanks you for the update and keep us posted on the progress :) Really appreciated! ❤️

MALmen · ‎06-14-2023

It started to work I our environment today

kennetha · ‎06-14-2023

Seems to work here as well. Won’t roll out SSOE in production until it’s been stable for a while though.

GrahamRiley · ‎06-26-2023

We are having a few issues with the Extension on 12.6.6. We have followed the guidance from Microsoft. We are not using Jamf Connect. We are doing the initial sign-in via Safari (microsoft365.com) but then finding that other Microsoft apps do not immediately sign-in. Only after quitting and relaunching these apps are we signed in and even then, it does not silently auto sign us in to all apps. For Office apps, it will silently sign us in however for OneDrive and Teams it will only pre-populate the username field - we then have to click Login. We do have additional policies set for OneDrive.

btowns · ‎06-26-2023

For OneDrive and Teams, this is expected, the sign in webview implementation must be different than the rest of Office and isn't fully compatible with the plugin.

With the plugin, to get the initial PRT or "SSO token", the sign-in must be done through a compatible app, not a browser.

GrahamRiley · ‎06-26-2023

Taken from the below URL:

https://learn.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-mac-sso-extension-plug...

Not all Microsoft first-party native applications use the MSAL framework. At the time of this article's publication, most of the Microsoft Office macOS applications still rely on the older ADAL library framework, and thus rely on the Browser SSO flow.

Which means it has to be a browser (safari) that is used initially to generate the token. Which is fine... We launch Safari and are greeted with the SSO pop-up - which we then sign into.

btowns · ‎06-26-2023

Ah, yes, you can bootstrap the PRT with Safari when you have enabled browser_sso_interaction_enabled.

Edit:
Bootstrapping doesn’t need to be done with Safari, you can get a PRT from any app that uses MSAL.

bwoods · ‎06-27-2023

Based on what I've seen from Okta, it looks like Platform SSO will soon be a replacement for this plug-in. I'm just going to wait until MS supports Platform SSO. I haven't had much luck with the plug-in.

Jamf Nation Community

Microsoft Enterprise SSO plug-in for Apple devices