#!/bin/bash#Determine PSSO status of current console user logged in at
time of recon#Get current user logged in to devicecurrentUser=$(
/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk -F':
' '/[[:space:]]+Name[[:space:]]:/ { if ( ...
Configure Kerberos SSO for Microsoft Entra Platform Single Sign-On
Reference:
https://learn.microsoft.com/en-us/entra/identity/devices/device-join-macos-platform-single-sign-on-kerberos-configuration
The native Kerberos Single Sign-On (Kerberos SSO) ...
Updated 9 OCT 2024: NOTE: Okta Verify appears to have rolled back to
9.23.0 as the official release which is working in macOS 18.1 beta 6.
iOS SSOe support appears to be working in 9.24.1 with iOS 18.1 beta 6.
Limitations and Requirements Apple has m...
As I'm writing articles, I'll update this page with the latest articles:
Updated 23SEPT2024 What is Platform Single Sign-On - An overview of the
technology and how it works
https://community.jamf.com/t5/jamf-pro/what-is-platform-single-sign-on/td-p/3...
Troubleshooting steps Extensive trouble shooting steps are available
from Microsoft at:
https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-mac-sso-extension-plugin
Removing PSSOe from a user account To force an update to a user acc...
You could, if you wanted to tempt fate, remove the attribute manually
via dscl . delete /Users/$USERNAME and the attributes. Personally, I'm
not sure of the utility of that. If you remove the PSSO config profile
from the device, the key is effectivel...
I think you less have an issue with registering devices in Entra as much
as registering personal devices into Jamf Pro. The PSSO payload needs to
come down from an MDM here to work, so we know the device would be
enrolled in Pro. Perhaps limit regist...
If you're using PSSO with Microsoft in Secure Enclave key authentication
mode, there should be no MS-Organization-Access certificate in the user
keychain at all, so I'm confused by the question.
With PSSO in Secure Enclave key authentication mode, the workspace join
certificates are removed from the user's keychain and stored instead in
the Secure Enclave of the device. This effectively makes the key
non-exportable and hardware bound. The wo...
Check your Entra Conditional Access policies around session duration.
Also this is one where getting MS support in is 1000% the right answer.
You're paying them for the service, so... :)
The man, the myth, the mohawk. Senior Consulting Engineer, Identity and Access Management. Often seen in an Airstream trailer performing extreme social distancing. Offers a strict SaaS model for delivery - Sarcasm as a Service.
