Troubleshooting Platform Single Sign-On with Microsoft Entra ID

rabbitt
Contributor II
Contributor II

Troubleshooting steps

Extensive trouble shooting steps are available from Microsoft at: https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-mac-sso-extension-plugin
 
Removing PSSOe from a user account 
To force an update to a user account with PSSOe, unscope the configuration profile with the steps below.  This allows for the device to be re-registered or the local macOS UNIX user account to be paired with a different cloud identity provider account.
 
Secure Enclave method - Un-scope the configuration profile.  Check to see if any legacy SSOe payloads are still on the device and remove those configurations as well even though the Platform SSOe keys are missing.  Reboot the computer.  Open System Settings, Users & Groups, select the “i” next to the user account.  Confirm the Platform Single Sign-on section is missing from the user account.
 
Password method - Un-scope the configuration profile.  Optionally, reboot the computer.  Open System Settings, Users & Groups, select the “i” next to the user account.  Confirm the Platform Single Sign-on section is missing from the user account.
 
Configuring Notification Center messages
Customization of the Notification Center messages for enrollment is limited to the Display Account Name value.  The icon presented is from the Company Portal application, and the messaging has been standardized by Apple.
 
Checking PSSOe status 
 app-sso platform -s will show extensive information about the current state of device and user registration.
 
To determine if the current local macOS UNIX user account has been paired with a cloud identity provider account, use
dscl . read /Users/$currentUser dsAttrTypeStandard:AltSecurityIdentities | awk -F'SSO:' '/PlatformSSO/ {print $2}'
 
Returned result will either be the UPN of the cloud identity provider of the currently logged in user if paired or blank if unpaired.
 
Console or unified logging filters can be used to log on a subsystem of com.apple.AppSSO with the category of PODiagnostics.
 
Entra Device Registration information
TM11-dXB.png

Unlike the Jamf Pro integration where the Join Type is Microsoft Entra ID Registered, devices registered with PSSOe will be of the Join Type Microsoft Entra ID Joined.
 
Compliant state will show as N/A if the Jamf Pro device compliance integration isn’t configured or has not sent compliance data to the newly registered object.
 
Forcing device compliance data to be sent after PSSOe registration
If a device was previously registered with Company Portal for device compliance, it can be forced into a compliant reporting state again after PSSOe registration.
 
After registering the computer and the user with PSSOe, run the following command:
 /Library/Application\ Support/JAMF/Jamf.app/Contents/MacOS/Jamf\ Conditional\ Access.app/Contents/MacOS/Jamf\ Conditional\ Access gatherAADInfo
 
Alternatively, if a device was never registered with Company Portal, after PSSOe registration, simply run the “RegisterDevice with Microsoft” command from Jamf Self Service.  This process may take slightly longer than expected but the device compliance information will appear in the Entra portal shortly afterwards.
-qbLve3O.png

0 REPLIES 0