Help

Microsoft SSO Extension/AAD at logon screen?

mikemangino
New Contributor III

Posted on ‎10-27-2022 09:35 AM

There's this SSO plugin that offers platform-wide SSO on a Mac. It works great. https://learn.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin

Based on this blog from July, the extension should work for the login window starting with Ventura, but I can't find anything recent on how to actually make this work. https://techcommunity.microsoft.com/t5/endpoint-management-blog/microsoft-simplifies-endpoint-manage...

 

Anyone else tried this or seen any other information on how to deploy this feature? 

0 Kudos
12 REPLIES 12

talkingmoose
Moderator
Moderator

‎10-27-2022 10:16 AM - edited ‎10-27-2022 10:17 AM

There’s nothing to see here yet.

Apple announced Platform Single Sign-On (Platform SSO) at WWDC 2022. Platform SSO will allow macOS Ventura Macs to authenticate end users at the login screen. Those credentials can then be passed along to a Single Sign-On extension to authenticate end users with apps and services automatically without having them re-authenticate.

A few things need to happen first.

Jamf Pro has already implemented support (as documented by Apple) for both Platform SSO and Single Sign-On extensions on macOS, iOS and iPadOS. There may be more work to do if there’s more announced around this area. But for the most part, Jamf Pro is ready.

Microsoft has announced it intends to support Platform SSO, but that’s all. It hasn’t released anything publicly. Their Single Sign-On extension is available now, but it’s in preview at the moment. However, they will support it fully now.

However, other apps and services need to be written to support accepting credentials from Single Sign-On extensions and using them. I’ve personally yet to hear of any app vendors announcing this support.

I haven’t seen any public statements from other Identity Providers about supporting Platform Single Sign-On and Single Sign-On extensions.

Until all the pieces are in place, there’s not much you can do to take advantage of these new features, but there’s a lot of promise in them when they eventually do deliver.

mikemangino
New Contributor III

Posted on ‎10-27-2022 10:43 AM

OK, thank you. Mostly interested in using AAD credentials at the login screen without having to purchase/manage something third-party. The  platform SSO bit does seem to work well now, kinda creepy how even private browser sessions will pass auth right through.
Hurry up and wait it is...

0 Kudos

AJPinto
Honored Contributor II

Posted on ‎10-27-2022 12:45 PM

Most new goodness apple releases is not worth paying too much attention until its been out for at least a year. With how close vested apple is with their beta, most collaborating tools like Microsoft have had the same amount of time with the product that we have. 

 

TL;DR: Don't expect to see much support for Apples Platform SSO until around the time of macOS 14's launch.

0 Kudos

piotrr
Contributor III

‎10-28-2022 02:50 AM - edited ‎10-28-2022 02:55 AM

The SSOe is still considered Preview and should not be used in a production environment. 
Microsoft Enterprise SSO plug-in for Apple devices - Microsoft Entra | Microsoft Learn

I'm testing it on my own machines and it's mostly been nice. The JamfAAD onboarding process with Company Portal is MUCH smoother now that Company Portal includes SSO awareness, with much fewer sign-in prompts for the user! Just remember to deploy the WebView support preference for JamfAAD - useWKWebView true, as launching the browser may fail. 

I've had some failures in Self Service of all places though. PSSOe is not done. Avoid. 

sharif_khan
Contributor II
In response to piotrr

Posted on ‎02-10-2023 05:52 AM

@piotrr I integrate Intune and Jamf pro after depoloy company portal but It always popup JamfAAD for user. I already apply webview profile, wait time profile for token retry and also disableUPNLoginHint. But no luck to fix JamfAAD pop up where as machine is showing register on Intune and see device information there. Any suggestion will be helpful.

 

0 Kudos

mikemangino
New Contributor III

Posted on ‎10-28-2022 10:29 AM

I did experience the MUCH smoother Intune registration bit, that was nice. 

0 Kudos

sharif_khan
Contributor II

‎12-27-2022 08:27 AM - edited ‎12-27-2022 08:27 AM

I have few question about this

1. Is that Required Jamf and Intune integration and also company portal before apply this SSO plugin?

2. Is that will replacement of NoMad and NoMadlogin?

3. Can we able to apply zero touch with this company portal? Since we are on prem Jamf Pro so we are still couldn't apply 100% zero touch

4. Can we apply on existing devices? 

5. @piotrr can you please share your full workflow of testing? if Possible.

piotrr
Contributor III

Posted on ‎02-14-2023 01:53 AM

Sorry, I just fiddled with it on the day of release, I did not continue testing this preview feature. It's cool and all and I have great hopes for it, but I am not going to look deeper into it until it's all out of preview. 

0 Kudos

DavidN
Contributor

Posted on ‎03-29-2023 12:32 PM

Any other feedback on platform SSO? Is it still in preview?  So I got it configured and it works for everything except Kerberos. I can login at the login window and my credentials are passed to Safari, Microsoft, Adobe, and other apps I previously had configured with the single sign on plugin. But I'm not getting a Kerberos ticket.

0 Kudos

piotrr
Contributor III
In response to DavidN

Posted on ‎04-14-2023 04:48 AM

Still preview. No updates for a month. This is fairly normal for Microsoft. 

0 Kudos

rmurphy-12
New Contributor
In response to piotrr

Posted on ‎07-17-2023 12:33 PM

where are you finding it in preview through microsoft intune? 

0 Kudos

mikegetchell
New Contributor III

Posted on ‎09-14-2023 01:54 PM

IT's available now, as of early May

0 Kudos