After the configuration profile for PSSOe and the companion application for PSSOe are installed on the device, macOS will prompt the user to register. The message can be customized with the configuration profile value of“Display Account Name”. In this example, the Display Account Name was set to“Jamfse.io Entra ID”.
The user is then prompted for their local macOS UNIX account password. This is used to determine the user is present and actively using the device.
The next step requires the user enter a strong credential like a security key or Passkey enabled on another device. Other methods also include push with number challenge.
Upon completion, the user is shown instructions to set up the device as a Passkey provider for Microsoft Entra ID.
A user must dismiss the dialog or open system settings and remember the path to get to the setting required: Passwords, enter local user password if prompted, Password Options, Use passwords and passkeys from, and then Enable the Company Portal app.
Users can confirm the state of the Secure Enclave backed key by opening System Settings, Users & Groups, and selecting the“i” next to their account. Platform Single Sign-on status will show the login, method, and the state of device registration and current presence of SSO tokens for use to obtain authorization for further services gated by Entra ID.
Password
After the configuration profile for PSSOe and the companion application for PSSOe are installed on the device, macOS will prompt the user to register their user account to log into their Mac with their identity provider password. This message cannot be customized.
The user is then informed as to what changes will happen to their user account. The user is prompted for their local macOS UNIX user account password. This is used to determine user presence at the device.
The user is then prompted to authenticate to the identity provider. Customizing the login screen can be done in Entra ID settings.
The user will be prompted to enter their Microsoft Entra ID credentials. The tenant is described as the value entered in Display Account Name as part of the configuration profile.
In macOS Sonoma, the user is not presented with a confirmation of the completion or success of this registration. To confirm registration, open the System Settings app and navigate to Users & Groups and select the currently logged in user.
The user is now blocked from changing their local account password. Registration shows the status of the device registration with Entra ID. Tokens denotes if there are current SSO tokens cached to use for further logins to applications and cloud resources gated with Microsoft Entra ID login.
