Getting Started with Configuring Platform SSO on Mac for a Multi-User Devices

This configuration is for a Multi Device/Multi User Deployment

This configuration is recommended for macOS 15+, if you're using Tahoe (26) you can implement the simplified pSSO method through the configuration profile.

Configuration Profile

1. Log in to Jamf Pro
    
2. Select Computers -> Configuration Profiles -> New
    
3. In the General Payload
   • Give the Profile a meaningful name
   • Make sure your site is selected
   • Select a category
   • Select Computer Level
   • Select Install Automatically
      
4. Login Window Payload
   • Window tab:
     • Name and Password field
   • Options tab:
     • Check all of the following
       1. Disable automatic login
       2. Disable Apple ID Setup during login
       3. Disable Siri setup during login
       4. Enable console login
       5. Enable Fast User Switching
       6. Enable external accounts
   • Access tab:
     • Local only users may log in
        
5. Select the Singe Sign-On Extensions Payload
   • Payload Type: SSO
   • Authentication when screen is locked: Do Not Handle
   • Extension Identifier: com.microsoft.CompanyPortalMac.ssoextension
   • Team identifier: UBF8T346G9
   • Sign-On Type: Redirect
   • URLS:
     • https://login.microsoftonline.com
     • https://login.microsoft.com
     • https://sts.windows.net
     • https://login.microsoftonline.us
     • https://login-us.microsoftonline.com
     • https://login.chinacloudapi.cn
     • https://login.partner.microsoftonline.cn
   • Use Platform SSO:  Toggled, Enabled
   • Authentication Method: Password
   • Non-Platform SSO Accounts
     • List your admin accounts here. This is to ensure these accounts can always access the device to unlock them
   • Use Shared Device Keys: Enabled
   • Create New User at Login:  Enabled
   • Identity Provider Authorization: Enabled
   • Account Display Name: Toggled
     • NetID
   • Login Frequency: 24 Hrs
   • User Mapping: Toggled
     • Full Name: displayName
     • Account Name: preferred_username
     • Account Authorization Type: Standard
     • New User Account Type: Standard
   • Device identifiers in attestation: Allowed
   • Custom Configuration:
     • Upload the plist here, it will need to be saved as a plist to upload. This is also where you can add other customizations as needed. If you’d like to add more customizations visit here. See below. Example name: companyportal.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>AppPrefixAllowList</key>

<string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.</string>

<key>browser_sso_interaction_enabled</key>

<integer>1</integer>

<key>disable_explicit_app_prompt</key>

<integer>1</integer>

</dict>

</plist>

6. Set the Scope

Create the Policy Or Deploy via Jamf Catalog

1. Choose a method to install the Company Portal
   • Jamf Catalog – Microsoft Company Portal
     • This will always get the latest Company Portal installer.
   • Script Policy Payload
     • Name: Company Portal
       1. This will always get the latest Company Portal installer.
   • Package Policy – This will eventually fall out of date and may cause a looping effect during registration because it will update itself once it's installed. 
2. Create a policy: Computers -> Policies -> New
   • General Payload
     • Set your preferences as needed
       1. Check “Enrollment Complete” for new deployments
       2. Check “recurring check in” for deployments that DO NOT have Macs that were Bound to AD.
          • If you’d like to implement pSSO, you will need unbind the Macs or retire the bound Macs.
             

Extensive testing and troubleshooting should be completed before rolling out to production devices. This is the responsibility of the department to understand the potential issues that may arise during deployment.
 

New Device Setup

1. Setup the Prestage
   • General payload:
     • Check the box for “Make the MDM profile Mandatory”
     • Setup Assistant: Check the box “Automatically advance through Setup Assistant” Uncheck this if you’d prefer to do the Setup Assistant Manually.
   • Account Settings Payload: Check “Create a managed local administrator account during macOS Setup Assistant” if you want to create a local admin account.
     • The admin account needs to be created through IAM to be able to register the device with Entra.
     • Set the password
   • Local Account User type: Standard Account. This will not give the user admin rights.
   • Configuration Profile Payload: select the configuration profile you created for pSSO above.
      

Login process after the configurations is set

1. Enroll the device

2. Log into the device

3. Enter in the admin account used in the Prestage that is managed by IAM to manage the devices. This account needs to be created by the IAM department.

4. YOU MUST REGISTER THE DEVICE from the company portal prompt with the admin account created by IAM.

5. Sign in with the admin account to enroll the device

6. This prompt is syncing the local account password with their Entra account.

7. After registration is complete other users will be able to log in. 

8. Select log out in the Apple Menu

9. At the login screen the next user must enter in their full school email and password to log in. If they only use their netid, they will not be able to log in.