175: Deploy macOS SSO extension

Overview

Deploying the macOS Single Sign-On (SSO) extension using Microsoft Intune can streamline authentication processes for users and enhance security. Here's a detailed overview:

Steps to Deploy macOS SSO Extension

1. Prerequisites:

   • Ensure devices are running macOS 13.0 or newer.
   • Install the Microsoft Intune Company Portal app version 5.2404.0 or newer.

2. Decide Authentication Method:

   • Choose between passwordless authentication, Microsoft Entra ID user accounts, or smart cards.

3. Create Platform SSO Policy in Intune:

   • Navigate to the Intune admin center.
   • Go to Devices > Configuration profiles > Create profile.
   • Select macOS for the platform and Device features for the profile type.
   • Configure the SSO app extension settings¹.

4. Deploy the Company Portal App:

   • Ensure the Company Portal app is deployed to all macOS devices.

5. Enroll Devices and Apply Policies:

   • Enroll the macOS devices in Intune.
   • Assign the SSO policy to the relevant user groups.

6. Confirm Settings on Devices:

   • Verify that the SSO settings are correctly applied on the devices.

Benefits

• Reduced Authentication Prompts: Users experience fewer sign-in prompts, enhancing productivity.
• Enhanced Security: Supports passwordless authentication and integrates with Microsoft Entra ID for secure access.
• Seamless User Experience: Users can sign in using their Microsoft Entra ID credentials and Touch ID.
• Conditional Access: Ensures that only compliant devices can access corporate resources.

Drawbacks

• Compatibility Issues: Some older macOS versions may not support the latest SSO features.
• Initial Setup Complexity: Requires careful configuration and testing to ensure seamless deployment.
• Dependency on Microsoft Entra ID: Organizations must be using Microsoft Entra ID for full functionality.

Possible Impact on End Users

• Improved User Experience: Fewer sign-in prompts and easier access to resources.
• Learning Curve: Users may need initial guidance on using new authentication methods like Touch ID.
• Increased Security: Users benefit from enhanced security measures, reducing the risk of unauthorized access.

Tying to Zero Trust

The deployment of the macOS SSO extension aligns with Zero Trust principles by:

• Verifying Identity: Ensures that only authenticated users can access resources.
• Conditional Access: Enforces policies that require devices to meet security standards before granting access.
• Least Privilege Access: Limits access to resources based on user roles and compliance status.

Reference

• Configure Platform SSO for macOS devices | Microsoft Learn. https://learn.microsoft.com/en-us/mem/intune/configuration/platform-sso-macos.
• Use the Microsoft Enterprise SSO plug-in on macOS devices. https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-macos-with-intune.
• Microsoft Enterprise SSO plug-in for Apple devices. https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin.
• Coming Soon – Platform SSO for macOS - Microsoft Community Hub. https://techcommunity.microsoft.com/t5/microsoft-entra-blog/coming-soon-platform-sso-for-macos/ba-p/3902280.