How do I get started with configuring Platform SSO on Mac for a single-user device?

This configuration is for a Single Device/Single User Deployment

This configuration is recommended for macOS 15+, if you're using Tahoe (26) you can implement the simplified pSSO method through the configuration profile.

Configuration Profile

1. Log in to Jamf Pro
    
2. Select Computers -> Configuration Profiles -> New
    
3. In the General Payload
   • Give the Profile a meaningful name
   • Make sure your site is selected
   • Select a category
   • Select Computer Level
   • Select Install Automatically
      
4. Select the Singe Sign-On Extensions Payload
   • Payload Type: SSO
   • Extension Identifier: com.microsoft.CompanyPortalMac.ssoextension
   • Team identifier: UBF8T346G9
   • Sign-On Type: Redirect
   • URLS:
     • https://login.microsoftonline.com
     • https://login.microsoft.com
     • https://sts.windows.net
     • https://login.microsoftonline.us
     • https://login-us.microsoftonline.com
     • https://login.chinacloudapi.cn
     • https://login.partner.microsoftonline.cn
   • Use Platform SSO:  Toggled
   • Authentication Method: Password
   • FileVault Policy (Apple Silicon): This will need to be tested per your department’s needs.
   • User Logon Policy: Toggle
   • Authentication Condition: Attempt
     • Allow offline grace period: Checked 24hours or adjust as needed
   • Screensaver Unlock Policy: Toggle
     • Allow offline grace period: Checked 24hours or adjust as needed
     • Unlock with Touch ID or Apple Watch: Checked or adjust as needed
   • Non-Platform SSO Accounts
     • List your admin accounts here. This is to ensure these accounts can always access the device to unlock them
   • Enable Registration During Setup: Toggled
     • Enabled
   • Create First User During Setup:  Toggled
     • Enabled
     • New User Creation Authentication Method: Toggled, Password
   • Account Display Name: Toggled
     • $USERNAME
   • Login Frequency: 24 Adjust as needed
   • User Mapping: Toggled
     • Full Name: displayName
     • Account Name: sAMAccountName
     • Account Authorization Type: Toggle if needed, by default the account will be created as a standard account.
     • New User Account Type: Toggle if needed, by default the account will be created as a standard account.
     • Administrator Groups:  Toggled. The group is created in Intune to provide admin access to the members in this group.
   • Synchronize Profile Picture: Toggled
     • Enabled
   • Authentication When Screen is Locked: Toggled
     • Do Not Handle
   • Custom Configuration:
     • Upload the plist here, it will need to be saved as a plist to upload. This is also where you can add other customizations as needed. If you’d like to add more customizations visit here. See below. Example name: companyportal.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>AppPrefixAllowList</key>

<string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.</string>

<key>browser_sso_interaction_enabled</key>

<integer>1</integer>

<key>disable_explicit_app_prompt</key>

<integer>1</integer>

</dict>

</plist>

5. Set the Scope

Create the Policy Or Deploy via Jamf Catalog

1. Choose a method to install the Company Portal
   • Jamf Catalog – Microsoft Company Portal
     • This will always get the latest Company Portal installer.
   • Script Policy Payload
     • Name: Company Portal
       1. This will always get the latest Company Portal installer.
   • Package Policy – This will eventually fall out of date and may cause a looping effect during registration because it will update itself once it's installed. 
      
2. Create a policy: Computers -> Policies -> New
   • General Payload
     • Set your preferences as needed
       1. Check “Enrollment Complete” for new deployments
       2. Check “recurring check in” for deployments that DO NOT have Macs that were Bound to AD.
          • If you’d like to implement pSSO, you will need unbind the Macs or retire the bound Macs.

Extensive testing and troubleshooting should be completed before rolling out to production devices. This is the responsibility of the department to understand the potential issues that may arise during deployment.

New Device Setup

1. Setup the Prestage
   • General payload: Check the boxes for “Make the MDM profile Mandatory and Require Authentication”
   • Account Settings Payload: Check “Create a managed local administrator account during macOS Setup Assistant” if you want to create a local admin account.
     • Set the password
   • Local Account User type: Standard Account. This will not give the user admin rights. If you want the user to have admins rights (not recommended) select admin account.
   • Check the box to prefill primary account info. Drop down selection “Device Owner’s Details”
   • Configuration Profile Payload: select the configuration profile you created for pSSO above.

Login process after the configurations are set

1. Enroll the device
2. Enter in User’s credentials
3. Log into the device
4. YOU MUST REGISTER THE DEVICE from the company portal prompt

5. Sign in with the account used to enroll the device

6. This prompt is syncing the local account password with their Entra account.

7. You will be prompted that registration is now completed.