Microsoft Platform Single Sign On (SSO) for macOS.

Introduction

Microsoft’s Platform SSO offers the Microsoft Enterprise SSO plug-in tailored for Apple devices. Users can now log in to their Mac computers using Identity Provider (IdP) credentials, such as Microsoft Entra ID or Azure AD and subsequently, sign in to corporate apps and websites automatically.

If you utilize Microsoft Entra/Azure and wish to enable your users to experience single sign-on across all applications, Microsoft offers a solution through the company portal app. This document provides guidance on how you can leverage this capability.

To know more about Platform SSO please visit the Microsoft documentation:

https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin

https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-macos-with-intune?tabs=prereq-other-mdm%2Ccreate-profile-other-mdm

Prerequisites

1. macOS 10.15 or higher must be installed on the device.

2. A Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple devices must be installed on the device. This app is the Intune Company Portal app.

Steps to make this feature work with Scalefusion

• Step 1: Install Intune Company Portal (ICP) app on the Mac device(s).

• Step 2: Push the Custom Payload to Mac device(s).

Step 1: Install Intune Company Portal app on the Mac device(s).

1. Download the Intune Company Portal (ICP) app PKG file from the following link: https://officecdn.microsoft.com/pr/C1297A47-86C4-4C1F-97FA-950631F94777/MacAutoupdate/CompanyPortal-Installer.pkg

2. Log into your Scalefusion dashboard and navigate to Application Managment > Enterprise Store section.
   

   

3. Click on Upload New App button > click on Upload macOS App.
   

   

4. Click on Upload PKG file.
   

   

5. Upload the previously downloaded ICP PKG file.
   

   

6. Once the file is uploaded, click on Save.
   

   

7. Publish the PKG file on the Device Profile for Mac device(s).

Step 2: Push the Custom Payload to Mac device(s).

1. Copy the contents directly from below and add it in Custom Settings in the Device Profile or click here to download the file and import it in the Device Profile.
   

   <plist version="1.0">
   <dict>
       <key>PayloadContent</key>
       <array>
           <dict>
               <key>ExtensionData</key>
               <dict>
                   <key>useSiteAutoDiscovery</key>
                   <true/>
               </dict>
               <key>ExtensionIdentifier</key>
               <string>com.microsoft.CompanyPortalMac.ssoextension</string>
               <key>TeamIdentifier</key>
               <string>UBF8T346G9</string>
               <key>URLs</key>
               <array>
                 <string>https://login.microsoftonline.com</string>
                 <string>https://login.microsoft.com</string>
                 <string>https://sts.windows.net</string>
                 <string>https://login.partner.microsoftonline.cn</string>
                 <string>https://login.chinacloudapi.cn</string>
                 <string>https://login.microsoftonline.us</string>
                 <string>https://login-us.microsoftonline.com</string>
               </array>
               <key>Type</key>
               <string>Redirect</string>
               <key>PayloadIdentifier</key>
               <string>com.example.myessopayload</string>
               <key>PayloadType</key>
               <string>com.apple.extensiblesso</string>
               <key>PayloadUUID</key>
               <string>dbed949d-39a2-440d-a84b-e0c825cdcb2e</string>
               <key>PayloadVersion</key>
               <integer>1</integer>
               <key>PayloadDisplayName</key>
               <string>P1Extensible SSO</string>
           </dict>
       </array>
       <key>PayloadDisplayName</key>
       <string>Extensible SSO</string>
       <key>PayloadIdentifier</key>
       <string>com.example.myprofile</string>
       <key>PayloadType</key>
       <string>Configuration</string>
       <key>PayloadUUID</key>
       <string>da3bbbec-a753-4aa7-aeae-a74b7a65c0b5</string>
       <key>PayloadVersion</key>
       <integer>1</integer>
   </dict>
   </plist>

2. Follow our guide on how to add the Custom Payload in the Device Profile & deploy it to devices.

Notes:

1. The Payload and its contents are sourced from various albeit authenticated Apple Developer communities and forums.

2. Please validate them on a test machine before deploying them on all your managed devices.

3. Scalefusion has tested these Payloads, however, Scalefusion will not be responsible for any loss of data or system malfunction that may arise due to the incorrect usage of these payloads.

End user experience.

1. The Intune Company Portal app does not require active use; it merely needs to be installed on the device.

2. To initiate the extension, users sign in to any supported app or website, facilitating the bootstrap process, which configures the extension during the initial sign-in.

3. Upon successful sign-in, the extension seamlessly and automatically authenticates users across all other supported apps or websites.

You can test single sign-on by opening Safari in private mode and opening the https://portal.office.com site. No username and password will be required.

If you encounter any difficulties or have questions, please reach out to our Support team at: support@scalefusion.com