Welcome to Part Six of the "Apple Platform Deployment: An All-In-One Guide to Managing Apple Devices with Microsoft Intune" series. As we continue our comprehensive journey through managing Apple devices with Microsoft Intune, this part will delve into the intricacies of Apple Identity Services and Single Sign-On (SSO).
In this segment, we will explore how Intune integrates with Apple Identity Services to streamline user authentication and access management, enhancing both security and user experience. We'll cover the setup and configuration of PSSO for Apple devices, and demonstrate how this can simplify access to corporate resources while maintaining robust security protocols.
By the end of this part, you will have a deeper understanding of how to effectively manage and secure Apple devices in your organization using Intune's advanced capabilities. Stay tuned as we uncover the potential of Apple Identity Services and SSO in the context of Microsoft Intune.
Here's the link to the first five parts:
- The need to manage devices and data
- Getting Started - Apple Device Enrollment types & MDM
- Device Deployment: ABM or ASM, or ABE? (intuneirl.com)
- Onboarding to ABM
- What is Apple Configurator & when to use it?
Introduction to Apple Identity Services
In today's digital age, providing a seamless and user-friendly experience is crucial for businesses to succeed. One way to enhance user experience is through the implementation of Single Sign-On (SSO) solutions. Among the various SSO options available, Apple Identity Services offers a comprehensive and efficient solution for businesses using Apple devices. By integrating Apple's SSO capabilities with Microsoft Intune, businesses can streamline authentication processes and improve security measures. This comprehensive guide will walk you through the benefits and implementation steps of utilizing Apple Identity Services and SSO, helping you create a frictionless user experience for your customers.
Apple Services and Security: Understanding Authentication and Authorization
The cornerstone of any security protocol is authentication, the process of verifying a user's identity to ensure legitimacy. Apple implements various authentication methods, including single sign-on and a range of services such as personal and Managed Apple IDs, iCloud, iMessage, and FaceTime. These services enable users to securely communicate, create online documents, and back up personal data without jeopardizing their organization's information. Each service is underpinned by a distinct security framework, ensuring safe data handling, whether on an Apple device or in transit over wireless networks. Apple's commitment to privacy and security extends to safeguarding personal information and thwarting unauthorized access to data and services. Moreover, Apple's integrated mobile device management (MDM) framework bolsters these efforts, allowing MDM solutions to regulate and control access to specific services on Apple devices.
In contrast, authorization is about what users can do, following successful authentication. It involves supplying a username and password to an identity provider (IdP). Conceptually, the IdP is the authority, the username and password constitute the assertion of identity, and the token is what users receive after successful sign-in. Apple employs various token types and assertions, such as certificates, smart cards, and multi-factor devices, to enhance security.
Identity federation is another critical aspect, facilitating trust between different IdPs across security domains. This allows users to navigate between systems while maintaining robust security. For effective identity federation, administrators must establish mutually trusting domains and concur on a unified user identification method. A prevalent instance of identity federation is using an enterprise account to sign into an IdP. Apple has facilitated this by enabling federation between Google Workspace, Microsoft Azure Active Directory (Azure AD), and its own platforms like Apple School Manager, Apple Business Manager, and Apple Business Essentials. Consequently, users can employ their existing Google Workspace or Azure AD accounts for services like iCloud or Apple device sign-ins linked to Apple's educational and business management platforms. Effective federation often involves single sign-on methods or Kerberos Single Sign-on extensions, simplifying the user experience by negating the need for repeated identity verification.
Platform Single Sign-On (SSO): Revolutionizing Authentication Beyond Directory Services
At the heart of Platform SSO's functionality is the secure storage of SSO tokens within the keychain, accessible exclusively to the SSO extension. This extension utilizes these tokens to authenticate users for both on-premises applications and web-based services as required. In situations where SSO tokens are absent, outdated, or older than four hours, Platform SSO proactively engages in refreshing or acquiring new tokens from the Identity Provider (IdP).
Crucially, Platform SSO is designed to support a variety of authentication methods in conjunction with an IdP, ensuring a versatile and secure authentication solution. This approach not only streamlines the user experience but also bolsters security measures across diverse applications and web platforms. Platform SSO supports the following authentication methods with an identity provider (IdP):
- Password and encrypted password
- Password with WS-Trust
- User secure enclave key
Platform SSO can create new local user accounts on demand at the login window using IdP credentials, and also integrate IdP group membership with macOS. You can use network accounts for authorization, and groups can also authorize network accounts. Let's dive deeper to understand how PSSO actually works.
Creating Extensions to Support Platform Single Sign-On (SSO) with Apple's Framework
To enable single sign-on (SSO) with an identity provider (IdP), it's essential to develop an SSO extension that is compatible with platform SSO and incorporates the essential features. This process includes specifying the grant types compatible with both the extension and the IdP. Additionally, you have the option to integrate support for platform SSO 2.0 and activate the use of the Kerberos SSO extension in conjunction with the platform SSO ticket-granting ticket (TGT).
The role of the extension is to facilitate the registration of devices and users, as well as to handle authentication processes with the IdP. The IdP server is responsible for managing login requests and responses, thereby completing the authentication cycle. For developers, an important aspect of the development phase is the ability to use Terminal commands to monitor messages from the IdP, enabling iterative improvements and fine-tuning of the configuration.
Implement device and user registration.
Developing a single sign-on (SSO) extension involves a specific sequence to register devices and users with an identity provider (IdP). The Platform SSO triggers the extension for these operations. Initially, the extension is tasked with registering the device, followed by registering users on that device.
For your SSO extension to effectively handle registration, it must implement the ASAuthorizationProviderExtensionRegistrationHandler protocol. This protocol is crucial as Platform SSO invokes its methods in scenarios where a device or user requires registration with the IdP, or when there's a need to repair an existing registration.
- Register a Device:
An SSO extension is responsible for registering a device through the
beginDeviceRegistrationUsingLoginManager:options:completion:method. The steps for the extension include:
- Registering the device with the relevant Identity Provider (IdP).
- Supplying Platform SSO with the necessary login configuration.
- Executing the completion handler once the process is complete.
In instances where a registration token exists within the Device Management configuration profile, Platform SSO will initiate a silent device registration. The extension can utilize this registration token to authenticate the device with the IdP, potentially bypassing the need for user interaction. However, if user intervention is required, the system will display a user interface prompting the user to register, after which it will re-invoke
If the SSO extension must display a user interface during the registration process, it can invoke
presentRegistrationViewControllerWithCompletion: on the login manager.
Upon completion of the registration process, the SSO extension must call the completion handler with an
ASAuthorizationProviderExtensionRegistrationResult. If this result is
ASAuthorizationProviderExtensionRegistrationResultFailed, Platform SSO will automatically prompt the user for registration again after approximately 10 minutes. Users can also manually initiate registration via the register button under Settings → Users & Groups → Network Account Server. If the result is
ASAuthorizationProviderExtensionRegistrationResultFailedNoRetry, Platform SSO will not attempt registration again until there are changes in the configuration or the extension.
- Register a User:
Following a successful device registration marked by
ASAuthorizationProviderExtensionRegistrationResultSuccess, the SSO extension proceeds to user registration. This method is pivotal for setting up all users on a device, and it's also applicable when new users are created during the login process.
In scenarios involving shared device keys, user registration is initiated for each new user after the first one. If new users are created during login, they will be prompted to start the registration process when they first reach the desktop. The
saveUserLoginConfiguration:error: method of the login manager is essential here for specifying changes to the per-user login configuration. In cases where a username has already been entered, it is passed through the
Once the user registration is completed, it's crucial for the SSO extension to invoke the completion handler. This action prompts the system to authenticate the user with the new configuration, enabling immediate use of platform SSO.
Moreover, if the extension is updated to support the latest platform SSO 2.0 protocol methods and the system is using password authentication, it will interact with the key service to provision a new key. This key is then bound to the user account, enhancing security and personalization for each user on the device.
How Does Intune Works With Platform SSO?
To facilitate platform SSO, the MDM platform utilizes the com.apple.extensiblesso payload, specifically tailored for redirect extensions. Within this payload, the ExtensibleSingleSignOn.PlatformSSO dictionary encompasses various configuration options for platform SSO. These options span from selecting the appropriate key or keys for use, assigning group memberships, and enabling user creation during login, to incorporating features for device and user registration.
How To Use The PSSO Dictionary?
While the only mandatory key is <AuthenticationMethod> , it's advisable to implement the UseSharedDeviceKey option also. This method facilitates authentication for all users on the device, offering choices like Password, UserSecureEnclaveKey, or SmartCard. The SSO extension must be compatible with the chosen method to initiate registration or to switch between methods. For instance, a user account created during login with a username and password can later transition to a secure enclave backed key or SmartCard once the user is on the desktop. Additionally, the SSO extension can utilize the RegistrationToken for a seamless, silent device registration.
To leverage these recommended shared device keys, the PSSO profile should be configured as a system profile, as it applies to all users on the device.
What About Group Membership in the PSSO Profile?
Platform SSO utilizes the configuration you specify in the PSSO profile to request group memberships from the Identity Provider (IdP) i.e. Entra ID. When a device undergoes registration, if the Intune profile includes AdministratorGroups, it creates corresponding local groups and adds them as subgroups of the admin group. For AdditionalGroups specified in the profile, it forms local groups accordingly. However, managing the use of these additional groups for other services, such as sudo, requires separate handling. If AuthorizationGroups are specified, the system creates a local group and updates the relevant authorization right to include this group.
During the authentication process, the system requests a comprehensive list of groups from Entra ID, and the login response includes the user's group memberships. Platform SSO then adjusts the user's group memberships accordingly, adding the user to the groups returned by the IdP and removing them from others. These group memberships are reliable for security decisions as they are signed by the IdP during login, without any separate requests from the system. Group memberships are updated only following user authentication.
Can I Create Users During Login?
You can create a new user account at the login window if the you have selected "EnableCreateUserAtLogin" and "UseSharedDeviceKeys" settings in the PSSO profile in Intune. It checks for existing accounts with the same username and unique identifier before creating a new one, using the TokenToUserMapping from the Device Management profile for the account names.
Platform SSO provides various authentication methods to interface with an Identity Provider (IdP), which is tasked with maintaining and verifying user identities. Each authentication approach follows a specific set of steps. Generally, the process starts with the system generating a request for a server nonce, which contains an anti-replay feature to prevent misuse. The system then constructs a login request based on the chosen authentication method's requirements, dispatches this request, and subsequently handles the response it receives.
For both password and encrypted password authentication methods, the IdP uses the local account's password, ensuring it remains synchronized. This synchronization includes updates made to the password via the login window or when unlocking the screensaver. In contrast, the secure enclave key method enables authentication with the IdP without using a password or altering the local account password. For heightened security, customers have the option of using a SmartCard for IdP authentication.
Additionally, Platform SSO supports federated authentication through WS-Trust. Federation is a process that allows for authentication across different security domains, such as moving from a local IdP to a cloud-based IdP. In the context of WS-Trust authentication, the federated IdP utilizes the local account password for the authentication process.
Troubleshooting & Verifying Configuration
The Identity Provider (IdP) - Entra ID - can create sample messages reflecting the configuration for PSSO deployments. To analyze the configuration and monitor the status of SSO tokens, you can use specific commands in Terminal:
- View Messages: Execute
app-sso platform --messages. This command generates messages that don't utilize the actual device keys but rather create a key for each call.
- Check Configuration and SSO Token Status: To inspect the current configuration and view the status of the SSO tokens, use the command
app-sso platform --status.
- See High-Level Requests and Results: For a broader overview of requests and their outcomes, filter the log for the subsystem
com.apple.AppSSOand the category
These Terminal commands provide a comprehensive toolset to effectively test and refine their platform SSO configurations if needed.
Implement MacOS Platform SSO with Intune
All right, having covered the theory, let's now move on to the practical aspects. Let's create and deploy a PSSO profile in Intune to see how it actually functions in a real-world scenario.
- Deploy Microsoft Enterprise SSO plug-in for Apple devices
- Mac devices enrolled using Apple's Automated Device Enrollment (ADE) or Device Enrollment (DE)
- macOS Ventura 13.0 or later
- Company Portal app installed in version 5.2312.oo
Create Configuration Profile for Platform SSO
- Devices- macOS
- Configuration profiles > Create > New Policy
Select MacOS for the platform and Settings Catalog for the profile type
- Configure the profile for the below keys:
- Once configured, the profile should look like this:
- Device Registered
- Authorisation Groups Created
- Both User & Device Registration completed
- Password synced with Identity Provider
- Directory Services
- SSO token stored in Keychain