Platform Single Sign-On End User Experience with Entra ID

rabbitt
Contributor II
Contributor II

End User Experience

 
Secure Enclave
After the configuration profile for PSSOe and the companion application for PSSOe are installed on the device, macOS will prompt the user to register.  The message can be customized with the configuration profile value of “Display Account Name”.  In this example, the Display Account Name was set to “Jamfse.io Entra ID”.
 
VdXyH6ug.png

The user is then prompted for their local macOS UNIX account password.  This is used to determine the user is present and actively using the device.

kYo4jLWI.png

The next step requires the user enter a strong credential like a security key or Passkey enabled on another device.  Other methods also include push with number challenge.

P7f1CHpM.png

td8p8Wmg.png

Upon completion, the user is shown instructions to set up the device as a Passkey provider for Microsoft Entra ID.

3ypu0Y0I.png

A user must dismiss the dialog or open system settings and remember the path to get to the setting required: Passwords, enter local user password if prompted, Password Options, Use passwords and passkeys from, and then Enable the Company Portal app.
 
ipNjgi9c.png

Users can confirm the state of the Secure Enclave backed key by opening System Settings, Users & Groups, and selecting the “i” next to their account.  Platform Single Sign-on status will show the login, method, and the state of device registration and current presence of SSO tokens for use to obtain authorization for further services gated by Entra ID.

Password
After the configuration profile for PSSOe and the companion application for PSSOe are installed on the device, macOS will prompt the user to register their user account to log into their Mac with their identity provider password.  This message cannot be customized.
8Y73Zyc4.png

The user is then informed as to what changes will happen to their user account.  The user is prompted for their local macOS UNIX user account password.  This is used to determine user presence at the device.

vNCQBd4s.png

The user is then prompted to authenticate to the identity provider.  Customizing the login screen can be done in Entra ID settings.

EpThdPdE.png

The user will be prompted to enter their Microsoft Entra ID credentials.  The tenant is described as the value entered in Display Account Name as part of the configuration profile.

cqxuQU4E.png

In macOS Sonoma, the user is not presented with a confirmation of the completion or success of this registration.  To confirm registration, open the System Settings app and navigate to Users & Groups and select the currently logged in user.

menEeNyQ.png

The user is now blocked from changing their local account password.  Registration shows the status of the device registration with Entra ID.  Tokens denotes if there are current SSO tokens cached to use for further logins to applications and cloud resources gated with Microsoft Entra ID login.

0 REPLIES 0