Apple macOS PSSO intune

Platform SSO for macOS: A Deep Dive into Configuration & Troubleshooting

The wait is over! After months of anticipation, Platform Single Sign-On (SSO) for macOS with Microsoft Entra ID is finally here and ready to transform your Mac login experience. Ready to Unleash the Power of Platform SSO for macOS? Now that the initial excitement has cooled down a bit, let&

17 min read
PSSO
PSSO

The wait is over! After months of anticipation, Platform Single Sign-On (SSO) for macOS with Microsoft Entra ID is finally here and ready to transform your Mac login experience.


Ready to Unleash the Power of Platform SSO for macOS?

Now that the initial excitement has cooled down a bit, let's get down to the practical aspects. I've split the guide into three sections: Configuration, Verification & Troubleshooting.

This blog post will serve as your guide to configure & troubleshoot Platform SSO for macOS with Microsoft Entra ID. I'll guide you through the necessary steps to understand, configure, identify and resolve common issues that may arise during the setup and use of Single Sign-On. We'll explore how to effectively diagnose problems and implement solutions, ensuring a smooth and secure user experience.


Part I - Demystifying Platform Single Sign-On for macOS

Let's ditch the technical jargon for a moment and understand Platform SSO in simpler terms. Imagine it as a master key for your Mac login experience.

Traditionally, accessing work resources on a Mac meant juggling multiple passwords for different apps and services.Platform SSO eliminates this hassle! It builds upon your existing Microsoft Entra ID infrastructure, allowing users to sign in to their Macs using the same familiar credentials.

Behind The Scenes

Platform SSO offers a variety of authentication methods to suit your organization's security needs and user preferences.Here's a breakdown of the available options:

Platform SSO not only just simplifies logins for macOS users, but its benefits extend even further! Here's how Platform SSO enhances user management and access control:

In essence, Platform SSO streamlines the login process for users, enhances security for organizations, and eliminates the need for complex directory configurations. It's a win-win for everyone!


The Registration Dance: A Step-by-Step Look

This section dives deeper into the technical workings of Platform SSO. Platform SSO relies on a well-defined sequence to register devices and users with the IdP. Here's a breakdown of the steps involved:

Device Registration First: 

The initial step involves registering the device itself with the IdP. The extension achieves this by utilizing the beginDeviceRegistrationUsingLoginManager:options:completion: method.

Silent Registration for Convenience: If a registration token exists within the Device Management configuration profile,Platform SSO attempts a silent registration. This means users wouldn't need to intervene. The extension can leverage this token for device authentication with the IdP, eliminating the need for user prompts. However, if a silent registration fails,the system presents a user interface for manual registration.

User Interface Intervention: In scenarios where a user interface is necessary during registration, the extension utilizes the presentRegistrationViewControllerWithCompletion: method on the login manager.

Key Management: The extension can access signing and encryption keys using the ASAuthorizationProviderExtensionKeyTypeCurrentDeviceSigning and ASAuthorizationProviderExtensionKeyTypeCurrentDeviceEncryption key types, regardless of whether shared keys are employed.

Registration Outcomes: Once the process is complete, the extension must inform Platform SSO of the outcome using an ASAuthorizationProviderExtensionRegistrationResult object.

Users can also manually trigger a registration attempt through the Settings menu.

Important Note: During device registration, SSO extensions operate at a system or role level, independent of specific users.

Next Steps: The following section will explore the user registration process facilitated by Platform SSO. We'll delve into how SSO extensions interact with the IdP to register users and enable them to leverage Platform SSO immediately.

Registering Users for Seamless Logins 

Following a successful device registration, the SSO extension initiates the user registration process using the beginUserRegistrationUsingLoginManager:userName:authenticationMethod:options:completion: method.

If your environment utilizes shared device keys, user registration only occurs for subsequent users on the device. For users created during login, the system may prompt them to initiate registration upon reaching the desktop. User-specific login configurations can be adjusted using the login manager's saveUserLoginConfiguration:error: method.

Once user registration is complete, the extension signals this to the completion handler. The system then prompts the user to authenticate using the newly established configuration, allowing them to leverage Platform SSO immediately.

If you are utilising password authentication, the system interacts with the key service to provision a new key and bind it to the user account. This strengthens security by offering an additional layer of protection.


The Secure Enclave: The Guardian of Your Login Credentials

Imagine a vault within your Mac... This vault, known as the Secure Enclave, is a dedicated secure coprocessor chip built into Apple devices. It acts as a secure haven for sensitive information, including passwords, encryption keys, and biometric data used for Touch ID.

Here's what makes the Secure Enclave special:

Microsoft highly recommends this method for its enhanced security. It leverages hardware-bound cryptographic keys stored within the Secure Enclave, a secure chip on Mac devices. This method eliminates the need for Microsoft Entra user accounts to authenticate with apps and websites, offering robust protection against phishing attacks. Secure Enclave boasts several advantages:

When using Platform SSO, your login credentials and any generated authentication tokens are stored within the Secure Enclave. This adds an extra layer of security compared to traditional login methods that might store this information on the main disk of your Mac.


Configure PSSO with Microsoft Intune 

Now that you understand the magic of Platform SSO, let's get down to business! This section will guide you through configuring Platform SSO for your macOS devices using Microsoft Intune.

Prerequisites
💡
For best results/end user experience, upgrade the device to macOS 14.x
💡
Before diving into the configuration of Platform SSO on macOS devices using Microsoft Intune, a crucial decision awaits:selecting the authentication method. This choice significantly impacts how users sign in to their devices.
Your Authentication Method Options:

Choosing the right authentication method depends on your organization's security needs and user preferences.

Create the Platform SSO policy in Intune:

To configure the Platform SSO policy, use the following steps to create an Intune settings catalog policy.

Screenshot that shows the Settings Catalog settings picker, and selecting authentication and extensible SSO category in Microsoft Intune.
💡
Platform SSO policies are user-based policies. Don't assign the platform SSO policy to devices.

Platform SSO in Action: A Demo with Password Authentication

This section provides a demonstration of Platform SSO using password authentication. PSSO flow:

  1. Login with Microsoft Entra ID: With Platform SSO configured for password authentication, the user simply enters their Microsoft Entra ID credentials at the login screen.
  2. SSO Magic: Behind the scenes, Platform SSO leverages those credentials to silently authenticate with the IdP (Microsoft Entra) and retrieve an SSO token.
  3. Seamless Application Access: Once logged in, the user can access any work applications or websites that support Platform SSO without needing to enter separate login credentials. The SSO token grants them seamless access.

Platform SSO in Action: A Demo with Secure Enclave

Building upon the previous demonstration, let's explore how Platform SSO with Secure Enclave authentication elevates security even further.


Part II - Verifying PSSO for macOS

Now that you've grasped the inner workings of Platform SSO and its configuration process, let's explore how to verify successful implementation and address any potential issues that might arise on macOS devices.

Here's how to ensure your macOS devices are enjoying the benefits of Platform SSO:

Further you can also perform below checks to verify PSSO configuration:

Secure Enclave
Password Authentication

Part III - Troubleshooting PSSO for macOS

Even with careful planning, occasional hiccups can occur. Here are some common troubleshooting steps you can take for Platform SSO on macOS devices:

Check Device Enrollment & MDM Communication:

Review Platform SSO Policy Configuration:

Leverage Diagnostic Tools:

Advanced Troubleshooting:

💡
Before proceeding, ensure you have administrative privileges on the Mac device you're troubleshooting.

Platform SSO leverages the macOS system logs to record events related to user registration, AppSSO Agent confirmation and new user creation. These logs can provide valuable clues when diagnosing issues.

Here's how to access and capture the relevant logs:

  1. Open Terminal: Launch the Terminal application, which is typically located within the Utilities folder within Applications.
  2. Execute the Command: Type the following command in the Terminal window and press Enter:
💡
--predicate 'subsystem == "com.apple.AppSSO"': This filters the output to include only messages related to the com.apple.AppSSO subsystem, which is responsible for Platform SSO functionality.

Once the command finishes executing, navigate to your Documents folder and open the "ssologs.txt" file using a text editor. Carefully examine the contents of the file, paying close attention to timestamps, error messages, and any warnings.

These detailed logs reveal user registrations, plugin activity, and even login screen details. Analyze timestamps, errors,and successes to pinpoint configuration issues. Failed registrations, communication breakdowns, or UI glitches become exposed, allowing you to take targeted actions and ensure a smooth SSO experience for your users.

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension beginAuthorizationWithRequestParameters:completion:] requestIdentifier: CAFC9D06-55FB74648 on <private>


Mac SSO Extension: (AppSSO) [com.apple.AppSSO:SORemoteExtensionContext] -[SORemoteExtensionContext beginAuthorizationWithRequestParameters:completion:] requestIdentifier = CAF4A-B9E55FB74648, {
    AuthenticationMethod = 0;
    AuthorizationOptions =     {
        "broker_key" = "hPGpd9IqD3njwT1dDXQ0n6LfHdrrKNGTEM8nh7OYJ_Y";
        "client_app_name" = "Company Portal";
        "client_app_version" = "5.2404.0";
        "client_version" = "1.2.22";
        "msg_protocol_ver" = 4;
        noUserInterface = 1;
    };
    CFNetworkInterception = NO;
    CallerManaged = NO;
    CallerTeamIdentifier = UBF8T346G9;
    EnableUserInteraction = NO;
    Identifier = "CAFC9E55FB74648";
    ImpersonationBundleIdentifier = "(null)";
    LocalizedCallerDisplayName = "Company Portal";
    Realm = "(null)";
    RequestedOperation = "get_device_info";
    ResponseCode = 0;
    URL = "https://login.microsoftonline.com/common";
    UseInternalExtensions = NO;
} on <private>



AppSSOAgent: [com.apple.AppSSO:SOAgent] -[SOAgent _doPerformAuthorizationWithRequestParameters:profile:completion:] {
    AuthenticationMethod = 0;
    AuthorizationOptions =     {
        "broker_key" = "hPGpd9IqD3njwT1dDXQ0n6LfHdrrKNGTEM8nh7OYJ_Y";
        "client_app_name" = "Company Portal";
        "client_app_version" = "5.2404.0";
        "client_version" = "1.2.22";
        "correlation_id" = "61-8FDB52CD331A";
        "msg_protocol_ver" = 4;
        noUserInterface = 1;
    };
    CFNetworkInterception = NO;
    CallerManaged = NO;
    CallerTeamIdentifier = UBF8T346G9;
    EnableUserInteraction = NO;
    Identifier = "76A1756B-1138E2C224443CA";
    ImpersonationBundleIdentifier = "(null)";
    LocalizedCallerDisplayName = "Company Portal";
    Realm = "(null)";
    RequestedOperation = "get_device_info";
    ResponseCode = 0;
    URL = "https://login.microsoftonline.com/common";
    UseInternalExtensions = NO;
} on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtensionManager] -[SOExtensionManager loadedExtensionWithBundleIdentifer:] com.microsoft.CompanyPortalMac.ssoextension => <SOExtension:0x600001ef5450, bundleID=com.microsoft.CompanyPortalMac.ssoextension, path=/Applications/Company Portal.app/Contents/PlugIns/Mac SSO Extension.appex, associatedDomains=(
    "login.microsoft.com",
    "login-us.microsoftonline.com",
    "login.chinacloudapi.cn",
    "login.partner.microsoftonline.cn",
    "sts.windows.net",
    "login.microsoftonline.com",
    "login.microsoftonline.us"
)> in (
    "<SOExtension:0x600001ef5450, bundleID=com.microsoft.CompanyPortalMac.ssoextension, path=/Applications/Company Portal.app/Contents/PlugIns/Mac SSO Extension.appex, associatedDomains=(\n    \"login.microsoft.com\",\n    \"login-us.microsoftonline.com\",\n    \"login.chinacloudapi.cn\",\n    \"login.partner.microsoftonline.cn\",\n    \"sts.windows.net\",\n    \"login.microsoftonline.com\",\n    \"login.microsoftonline.us\"\n)>",
   



Company Portal: (AppSSO) [com.apple.AppSSO:SOAuthorization] -[SOAuthorization _finishAuthorizationWithCredential] credentialCore = <private>, error = (null), requestParametersCore = {
    AuthorizationOptions =     {
        "broker_key" = "hPGpd9IqrKNGTEM8nh7OYJ_Y";
        "client_app_name" = "Company Portal";
        "client_app_version" = "5.2404.0";
        "client_version" = "1.2.22";
        "correlation_id" = "7F0F-FAE40B22A328";
        "msg_protocol_ver" = 4;
        noUserInterface = 1;
    };
    CFNetworkInterception = NO;
    CallerManaged = NO;
    CallerTeamIdentifier = "(null)";
    EnableUserInteraction = NO;
    Identifier = "CAFC9D069E55FB74648";
    ImpersonationBundleIdentifier = "(null)";
    LocalizedCallerDisplayName = "(null)";
    Realm = "(null)";
    RequestedOperation = "get_device_info";
    ResponseCode = 0;
    URL = "https://login.microsoftonline.com/common";
    UseInternalExtensions = NO;
}, delegate = <ASAuthorizationController: 0x600003782700> on <private>


AppSSOAgent: [com.apple.AppSSO:SOAgent] -[SOAgent finishAuthorization:completion:] extension = <SOExtension:0x600001ef5450, bundleID=com.microsoft.CompanyPortalMac.ssoextension, path=/Applications/Company Portal.app/Contents/PlugIns/Mac SSO Extension.appex, associatedDomains=(
    "login.microsoft.com",
    "login-us.microsoftonline.com",
    "login.chinacloudapi.cn",
    "login.partner.microsoftonline.cn",
    "sts.windows.net",
    "login.microsoftonline.com",
    "login.microsoftonline.us"
)>, queue = com.microsoft.CompanyPortalMac.ssoextension on <private>


Company Portal: (AppSSOCore) [com.apple.AppSSO:SOClient] finishAuthorizationWithCompletion: success = 1, error = (null)
AppSSOAgent: (PlatformSSO) [com.apple.AppSSO:POExtension] -[POExtension beginUserRegistrationUsingUserName:authenticationMethod:options:extensionData:completion:] authenticationMethod = 1, options = 5 on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension requestAuthorizationViewControllerWithCompletion:]  on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension _setupSessionIfNecessaryWithCompletion:]  on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension incrementRequestCount] count now 1 on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] Using existing session for extension <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension beginUserRegistrationUsingUserName:authenticationMethod:options:extensionData:completion:]  on <private>


AppSSODaemon: (PlatformSSO) [com.apple.AppSSO:PODaemonProcess] -[PODaemonProcess userConfigurationForIdentifier:completion:] identifier = 9B507260-FE86-4788E2769 on <private>

AppSSODaemon: (PlatformSSO) [com.apple.AppSSO:PODaemonProcess] -[PODaemonProcess saveUserConfiguration:forIdentifier:completion:] identifier = 9B50726027-7EAB788E2769 on <private>


AppSSOAgent: (PlatformSSO) [com.apple.AppSSO:POConfigurationVersion] -[POConfigurationVersion increaseVersionWithMessage:] config version increased from 0x0000018D66BE3565 to 0x0000018D66BE3571 (userConfiguration updated) on <private>

AppSSOAgent: (PlatformSSO) [com.apple.AppSSO:POKeychainHelper] -[POKeychainHelper addTokens:metaData:toKeychainForService:username:system:] service com.microsoft.CompanyPortalMac.ssoextension on <private>

AppSSODaemon: (PlatformSSO) [com.apple.AppSSO:PODaemonProcess] -[PODaemonProcess userConfigurationForIdentifier:completion:] identifier = 9B507260-FE8AB788E2769 on <private>


AppSSOAgent: (PlatformSSO) [com.apple.AppSSO:POAgentAuthenticationProcess] -[POAgentAuthenticationProcess notifyKerberosDelegateTGTDidComplete]  on 

AppSSOAgent: (PlatformSSO) [com.apple.AppSSO:POAgentAuthenticationProcess] -[POAgentAuthenticationProcess finishRegistrationWithStatus:message:] success = 1 on <private>

AppSSOAgent: (PlatformSSO) [com.apple.AppSSO:POExtension] -[POExtension registrationDidCompleteWithCompletion:]  on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension requestAuthorizationViewControllerWithCompletion:]  on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension _setupSessionIfNecessaryWithCompletion:]  on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension incrementRequestCount] count now 1 on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] Using existing session for extension <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension registrationDidCompleteWithCompletion:]  on <private>

Mac SSO Extension: (AppSSO) [com.apple.AppSSO:SORemoteExtensionContext] -[SORemoteExtensionContext registrationDidCompleteWithCompletion:]  on <private>
AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension beginDeviceRegistrationUsingOptions:extensionData:completion:]  on <private>

Mac SSO Extension: (AppSSO) [com.apple.AppSSO:SORemoteExtensionContext] -[SORemoteExtensionContext beginDeviceRegistrationUsingOptions:extensionData:completion:] options = 5 on <private>

AppSSOAgent: (PlatformSSO) [com.apple.AppSSO:POExtension] -[POExtension presentAuthorizationViewControllerWithHints:completion:]  on <private>

AppSSOAgent: (AppSSOUI) [com.apple.AppSSO:SOUIAuthorizationViewController] -[SOUIAuthorizationViewController initWithExtensionViewController:hints:] extensionViewController = <SORemoteExtensionViewController: 0x600000ff0fc0> on <private>

AppSSOAgent: (AppSSOUI) [com.apple.AppSSO:SOUIAuthorizationViewController] -[SOUIAuthorizationViewController loadView]  on <private>


AppSSOAgent: (AppSSOUI) [com.apple.AppSSO:SOUIAuthorizationViewController] <SORemoteExtensionViewController: 0x600000ff0fc0> - size: (w=809.000000, h=650.000000)


AppSSOAgent: (AppSSOUI) [com.apple.AppSSO:SOUIAuthorizationViewController] -[SOUIAuthorizationViewController viewDidLoad]  on <private>

AppSSOAgent: (PlatformSSOUI) [com.apple.AppSSO:POAgentWindowController] -[POAgentWindowController initWithWindow:]  on <private>

AppSSOAgent: (AppSSOUI) [com.apple.AppSSO:SOUIAuthorizationViewController] -[SOUIAuthorizationViewController viewWillAppear]  on <private>

AppSSOAgent: (AppSSOUI) [com.apple.AppSSO:SOUIAuthorizationViewController] -[SOUIAuthorizationViewController viewDidAppear]  on <private>

Mac SSO Extension: (AppSSOCore) [com.apple.AppSSO:SOConfigurationClient] -[SOConfigurationClient init]  on <private>

Mac SSO Extension: (AppSSOCore) [com.apple.AppSSO:SOServiceConnection] <SOServiceConnection: 0x12b155f40>: new XPC connection

Mac SSO Extension: (AppSSOCore) [com.apple.AppSSO:SOConfigurationVersion] -[SOConfigurationVersion checkVersion] config version changed from from 0x0000000000000000 to 0x0000018D66B94507 on <private>

Mac SSO Extension: (AppSSOCore) [com.apple.AppSSO:SOConfigurationClient] -[SOConfigurationClient _reloadConfig]  on <private>

Mac SSO Extension: (AppSSOCore) [com.apple.AppSSO:SOClient] -[SOClient configurationWithCompletion:]  on <private>

AppSSOAgent: [com.apple.AppSSO:SOAgent] -[SOAgent initWithXPCConnection:] <SOAgent: 0x6000013ed380> on <private>

Mac SSO Extension: (AppSSOCore) [com.apple.AppSSO:SOClient] configurationWithCompletion: success = YES, error = (null)

Mac SSO Extension: (AppSSOCore) [com.apple.AppSSO:SOClient] -[SOClient getAuthorizationHintsWithURL:responseCode:completion:] url: <mask.hash: '3WXy1dp5TlBJfSe8ZoJkFw=='>, responseCode: 0 on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtensionManager] -[SOExtensionManager loadedExtensionWithBundleIdentifer:] com.microsoft.CompanyPortalMac.ssoextension => <SOExtension:0x600001ef5450, bundleID=com.microsoft.CompanyPortalMac.ssoextension, path=/Applications/Company Portal.app/Contents/PlugIns/Mac SSO Extension.appex, associatedDomains=(null)> in (
    "<SOExtension:0x600001ef5450, bundleID=com.microsoft.CompanyPortalMac.ssoextension, path=/Applications/Company Portal.app/Contents/PlugIns/Mac SSO Extension.appex, associatedDomains=(null)>",
    "<SOExtension:0x600001ef6490, bundleID=com.apple.AuthKitUI.AKAppSSOExtension, path=/System/Library/PrivateFrameworks/AuthKitUI.framework/PlugIns/AKAppSSOExtension_macOS.appex, associatedDomains=(null)>",
    "<SOExtension:0x600001ef67b0, bundleID=com.apple.AppSSOKerberos.KerberosExtension, path=/System/Library/PrivateFrameworks/AppSSOKerberos.framework/PlugIns/KerberosExtension.appex, associatedDomains=(null)>"
) on <private>


Mac SSO Extension: (AppSSOCore) [com.apple.AppSSO:SOClient] SOClient authorization hints: {localizedExtensionBundleDisplayName = "Mac SSO Extension";

Mac SSO Extension: (AppSSO) [com.apple.AppSSO:SOAuthorization] hints: {localizedExtensionBundleDisplayName = "Mac SSO Extension"}, error: (null)


AppSSODaemon: (PlatformSSO) [com.apple.AppSSO:PODaemonProcess] -[PODaemonProcess deviceConfigurationForIdentifer:completion:] identifer = 9B507260-FE86788E2769 on <private>202



Conclusion

In this comprehensive blog post, we've explored the world of Platform SSO for macOS. We've delved into its technical aspects, unpacked its user and security benefits, and even equipped you with the knowledge to configure and troubleshoot it on your macOS devices.

With Platform SSO, you can empower your users with a streamlined login experience while simultaneously strengthening your organization's security posture. Consider exploring the official Microsoft documentation to delve deeper into configuration specifics and unleash the full potential of Platform SSO within your macOS environment.

I hope this blog post has been informative and empowers you to make informed decisions regarding Platform SSO for your organization. If you have any questions or require further assistance, feel free to leave a comment below!

Share This Post

Check out these related posts

Application Inventory: The Unsung Hero of macOS Security

Set Sail for Smooth Seas: Effortless Mac Enrollment with Intune

Secure, Contain, Protect... Your Mac: Deploy mSCP with Intune