Apple macOS SSO intune PSSO Platform Single Sign-On

Taking Platform SSO to the Next Level: Create New Users At Login

Discover how the advancements in Platform SSO are reshaping user management and security in enterprise settings. Read further to explore this significant leap forward for Mac integration in the corporate world.

7 min read
Taking Platform SSO to the Next Level: Create New Users At Login

In my previous exploration, we delved deep into the world of Apple Identity Services and Platform Single Sign-On (PSSO). If you haven't had the chance to read it yet, I highly recommend starting there for a solid foundation:

The Apple Connect: Bridging Identity Services with SSO
Apple’s integration of IdP with SSO is a game-changer in digital identity and access management. This innovative merge offers a seamless, secure user experience. It simplifies authentication across various services, enhancing productivity in enterprise environments.

Building on that knowledge, this new post takes a crucial step forward. Platform Single Sign-On (SSO) on macOS has evolved, offering groundbreaking capabilities that are particularly beneficial for enterprises utilizing shared devices. This advancement enhances the integration of corporate identities into the macOS ecosystem, streamlining both the user experience and device management. Here are some key features and their implications:

So, let's dive into the transformative world of macOS user roles and privileges, redefined by platform SSO.


The Core Challenges


But We Always Had Workarounds

Before the advent of more sophisticated solutions like Platform SSO, IT administrators managing Macs in enterprise environments had to rely on various workarounds to mitigate the risks associated with primary users gaining full administrative rights. These workarounds, while creative, often came with their own set of limitations and were only partially effective.

  1. User Role Restructuring: One common approach was to manually change the primary user's role from an administrator to a standard user after the initial setup.
  2. Scripted Solutions: Some MDM admins turned to scripting. Scripts were written and deployed to automatically adjust user privileges post-enrollment. While this automated part of the process, it still didn't offer the granularity and flexibility needed for diverse enterprise environments.
  3. Third-party Management Tools: Another strategy involved the use of third-party Mac management tools. These tools provided more control over user accounts and privileges but often at the cost of additional complexity and expense. They also introduced a dependency on external software, which might not always align with the organization's IT policies or standards.
  4. Policy Enforcement via Network Controls: In some cases, network-level controls and policies were implemented to restrict what administrative users could do, especially regarding network resources and critical systems. This approach was more about containment than prevention, as it did nothing to change the user's actual privileges on the Mac itself.

Each of these workarounds had its drawbacks. They were often seen as stop-gap solutions – measures that could reduce risks but not eliminate them. They also added layers of complexity and management overhead, detracting from the user experience and efficiency.


Alright! Enlighten Me

In my previous article, we discussed and explored how platform SSO presents a more integrated and streamlined approach, overcoming many of these historical challenges. The steps are in the link below:

Step-by-Step Guide on Setting Up Platform SSO

The Apple Connect: Bridging Identity Services with SSO
Apple’s integration of IdP with SSO is a game-changer in digital identity and access management. This innovative merge offers a seamless, secure user experience. It simplifies authentication across various services, enhancing productivity in enterprise environments.

The Next Level: On-Demand Local Account Creation

Perhaps the most significant advancement is the ability of Platform SSO to support the on-demand creation of local accounts at the login window. When a new user authenticates using credentials from their organization's IdP, macOS can now automatically create a new local user account. This feature is a game-changer for organizations that use shared devices, as it:

To achieve this, certain requirements need to be in place for the local account creation to happen.

  1. UseSharedDeviceKeys: It's enabled by using a shared device key that allows the device to maintain a trusted connection to the Entra ID, independent of a specific user.
  2. Connectivity with the Identity ProviderThe Mac must be able to establish a connection with your Entra ID. This connection is vital for authenticating user credentials and ensuring that the user is authorized to access the device.
  3. Device State - Login Window with FileVault Unlocked: The device needs to be at the login window, and FileVault should be unlocked. This state ensures that the device is secure but ready to set up a new user account upon successful authentication.
  4. MDM Support for Bootstrap Tokens: The MDM system must support Bootstrap Tokens. Bootstrap Tokens play a critical role in enabling a seamless and secure user experience, especially in scenarios involving the creation of new user accounts on macOS devices.
  5. User Authentication: With these conditions met, users can then authenticate using their Entra ID username and password, or a SmartCard.
  6. Assignment of User Permissions: Post-authentication, user permissions are assigned based on Identity Provider groups.
  7. Defining Access Levels through MDM Profiles: Intune profiles profile plays a pivotal role in defining the access level of the newly created account. It can specify whether the user receives standard user permissions, administrator privileges, or permissions based on their group membership in Entra ID.
Local Account Creation with PSSO

Demo Time

("Tanush" is my son's name 😊)

Device Registration

Conclusion

The enhancements in Platform SSO for macOS, particularly for shared devices, mark a significant stride in enterprise technology. By enabling on-demand local account creation at login, Apple addresses a critical need for tighter security and streamlined user management. This feature not only simplifies the Mac integration into enterprise environments but also underscores the commitment to evolving user and administrative needs.

As we wrap up this year, I'm excited about these developments and look forward to seeing how they'll improve our workflows and security.

That's all for now! I'd love to hear your thoughts and experiences with these new features. Your feedback not only enriches our shared knowledge but also helps in shaping our tech community. Here's to a year of great strides in technology, and to all of you, a fantastic year ahead!

Share This Post

Check out these related posts

Early Bird Gets the Worm: Testing iOS 18 & macOS 15 (Beta) Devices with Intune

Platform SSO for macOS: A Deep Dive into Configuration & Troubleshooting

Application Inventory: The Unsung Hero of macOS Security