Help

Partner Compliance - Google Chrome asking to use Microsoft Workplace Join Key

Tribruin
Valued Contributor II

Friday

We are testing enrolling Macs in to Microsoft Partner Compliance to enforce Conditional Access policy. For the most part, the process is smooth to enroll and we have not seen too many issues.

However the one issue, that will be a user concern, is when a user goes to a Microsoft site (like Outlook on the web), they are prompted by macOS to allow Google Chrome to use the Microsoft Workplace Join Key from the Keychain.

Edge and Safari use this key automatically, which makes sense being Apple & Microsoft. I tried adding com.google. to my SSO extension, like i have for Apple, Microsoft, and Jamf, but that doesn't seem to work. (See Below)

 

Is there anyway that I can automatically allow Chrome to use this WJK?

 

 

 

<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
    <key>AppPrefixAllowList</key>
    <string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.,com.google.</string>
    <key>browser_sso_interaction_enabled</key>
    <integer>1</integer>
    <key>disable_explicit_app_prompt</key>
    <integer>1</integer>
</dict>
</plist>

 

 

 

0 Kudos
Reply
7 REPLIES 7

sdagley
Esteemed Contributor II

Friday

@Tribruin Try adding this to your com.google.Chrome configuration settings:

    <key>AutoSelectCertificateForUrls</key>
	<array>
		<string>{"pattern":"https://device.login.microsoftonline.com","filter":{"ISSUER":{"CN":"MS-Organization-Access"}}}</string>
		<string>{"pattern":"https://enterpriseregistration.windows.net","filter":{"ISSUER":{"CN":"MS-Organization-Access"}}}</string>
	</array>
0 Kudos
Reply

Tribruin
Valued Contributor II

Friday

Sorry, I should have mentioned that I have profile deployed  and that fixes the user being required to select the certificate, but they still have to allow Chrome to accept it. 

 

0 Kudos
Reply

sdagley
Esteemed Contributor II
In response to Tribruin

Friday

Are they getting a prompt that says Chrome is asking permission to export it and asking for the login keychain password? If so that's going to require the user responding with their login password and clicking Always Allow.

0 Kudos
Reply

jalucia
New Contributor

Friday

For Chrome, you will need to install the Microsoft Single Sign on Extension.

https://chromewebstore.google.com/detail/microsoft-single-sign-on/ppnbnpeolgkicgegkbkbjmhlideopiji?h...

It works pretty well but every so often we see a cached site that asks to select the cert.  Usually clearing the cache resolves the issue.

0 Kudos
Reply

Shyamsundar
Contributor III

yesterday

The upcoming Google Chrome 134 version by default supports this, We don't need to install the SSO Extension. 

0 Kudos
Reply

Tribruin
Valued Contributor II
In response to Shyamsundar

yesterday

That is what I understod as well, but I am still getting the prompt to use the WJK when attempting to access Microsoft resources via Chrome with v134. How are you configuring this?

0 Kudos
Reply

jalucia
New Contributor

yesterday

Maybe they pushed to v135 from their release notes...

https://support.google.com/chrome/a/answer/7679408?sjid=6152935147853255882-NA#top


Upcoming Chrome Enterprise Core changes

Apple Extensible SSO support for Chrome on macOS

Chrome 135 on macOS will enable seamless authentication for identity providers that are enabled via an OS-configured Enterprise Single Sign On (SSO) extension. For this initial release, it will allow end users on managed browsers to sign in to any Microsoft Entra-authenticated resources without the need to enter any credentials. Extensible SSO needs to be pre-configured in your environment and deployed with its respective enterprise device management solution. Additional identity providers might be supported in the near future.

As early as Chrome 135 on macOS

0 Kudos
Reply