How to Configure Microsoft SSO for MacOS Devices in Intune

macos keyboard for sso

One disadvantage for MacOS devices in a Windows environment, traditionally has been a lack of (Single-Sign-On) SSO for MacOS. Apple doesn’t have a native enterprise identity provider platform so there is not a built-in method for linking Apple Devices to Microsoft Active Directory. While this is still true, Microsoft has now released a process to use Azure AD SSO with MacOS devices enrolled in Microsoft Intune. Because it is leveraging Azure AD for authentication, this SSO option is limited to Cloud apps that utilize Azure AD authentication, but hey, it’s something! Let’s take a look at how you can configure this, and what you need to do to make life a little easier for MacOS users.

DISCLAIMER

Please understand that the content herein is for informational purposes only. This existence and contents shall not create an obligation, liability or suggest a consultancy relationship. In further, such shall be considered as is without any express or implied warranties including, but not limited to express and implied warranties of merchantability, fitness for a particular purpose and non-infringement. There is no commitment about the content within the services that the specific functions of the services or its reliability, applicability or ability to meet your needs, whether unique or standard. Please be sure to test this process fully before deploying in ANY production capacity, and ensure you understand that you are doing so at your own risk.

Table Of Contents

Prerequisites
How to Configure SSO for MacOS
Conclusion

Prerequisites

Here are the things you MUST have configured:

  • MacOS Device (primarily for testing)
  • MacOS 10.15 or newer OS
  • Company Portal for MacOS must be installed

So these are a little easier to manage than some of the other MacOS posts, but that’s because its easer to configure than other things with MacOS in Intune. The key reason for Company Portal to be installed is that it provides the enterprise SSO plugin functionality for the MacOS device. So this is a prerequisite for it to work properly. I recommend checking out my post here where I explain how to Package a PKG App for MacOS deployment. You can download the Company Portal PKG file here. Once you have Company Portal packaged, tested and deployed, you are ready to begin configuring SSO for MacOS devices.

How to Configure SSO for MacOS

Now we will configure the settings for Microsoft Azure AD SSO in MacOS. There is one absolutely critical thing that everyone needs to understand before we get started. In MacOS, there is no native Azure AD support in terms of processing SSO requests. So you need to install a tool that will handle these requests. That tool is Company Portal.

Microsoft has configured Company Portal to handle authentications requests for the purpose of SSO. So like I mentioned above, you have to have Company Portal installed for this to work. When you are enrolling a new MacBook or Mac for the first time, it is worth letting it sync and download its apps. I repeat this again because I want to set the correct expectations for this.

Steps to Configure the Policy

  1. Sign into Microsoft Endpoint Manager. Choose Devices –> MacOS –> Configuration Profiles to create the MacOS profile for Microsoft SSO. Click “Create Profile“, and choose “Templates” and “Device Features“.
Create a Configuration Profile for SSO for macos
Create a Configuration Profile for SSO
  1. From here you should give your new policy a name that makes sense and will be easy to read from the Monitor page.
Name and Description of sso for macos Configuration profile
Name and Description
  1. Scroll to the bottom of this list, and expand “Single Sign-On app extension“.
  2. For the SSO App extension type we will be choosing “Microsoft Azure AD“.
  3. The App Bundle ID, needs to match this string: com.microsoft.CompanyPortalMac.ssoextension
Configuration Profile Settings for sso for MacOS
Configuration Profile Settings

Advanced Configuration

  1. For the next step, we need to configure the “Additional Configuration” section. The ones I am listing are the minimum I recommend for a SSO implementation. This will allow Microsoft Apps, and Safari Browser the ability to use Company Portal for SSO to resources that use Microsoft Authentication. This is the MINIMUM list based on what I think is most common, not an exhaustive one.
  • For more details, you can go here to see all that Microsoft has to offer in this section.
    • Enable SSO On All Managed Apps – When this flag is on (its value is set to 1), all MDM-managed apps not in the AppBlockList may participate in SSO.
      • Key: Enable_SSO_On_All_ManagedApps
      • Type: Integer
      • Value: 1
    • App Prefix Allow List – Bundle ID prefixes of applications allowed to participate in SSO.
      • Key: AppPrefixAllowList
      • Type: String
      • Value: com.microsoft.
    • disable_explicit_app_prompt – specify whether the SSO extension should prevent native and web applications from bypassing SSO at the protocol layer and forcing the display of a sign-in prompt to the user.
      • Key: disable_explicit_app_prompt
      • Type: Integer
      • Value: 1
    • (Optional) Allow SSO from Safari Browser – Allows the Safari browser can also do the initial bootstrapping and get a shared credential. (Only configure this if it meets your needs. MS Edge for MacOS supports SSO natively with the other settings we configured)
      • Key: browser_sso_interaction_enabled
      • Type: Integer
      • Value: 1

Deploy the Configuration Profile

  1. Save this configuration by clicking Next. From here, choose what groups you want to apply this to, and Hit next. Review the settings, and hit Create to finish the configuration profile.
Assign a Group for Deployment for SSO for MacOS
Assign a Group for Deployment

That’s all there is to it. Now, when you enroll a new Mac, or apply this to existing machines, they will be able to leverage Microsoft SSO on a MacOS device. If it isn’t working, please double check that Company Portal is installed, and that the user is signed in. Typically, the user will be only need to sign into Company Portal once, but it is something to check if it is an existing machine.

Conclusion

Now you know how to configure Microsoft SSO for MacOS devices. This can greatly increase the user experience for your MacOS users. Greater reliance on the cloud has helped bridge the gap between Windows and MacOS users and this should continue as time goes on. This is another great step in that direction. Your MacOS users will certainly appreciate it!

You also aren’t limited to Microsoft applications for this. Any application that uses the Microsoft MSAL authentication library can leverage this tool for SSO. So if you have SSO working for Windows users, chances are you can get it to work for MacOS users as well. Check out the various settings at this link to see what else you can get configured. Just be sure to send it to a test group before deploying to any production environment.

Hit me up on Twitter @SeeSmittyIT to let me know what you thought of this post. Thanks for reading!

Smitty

Curtis Smith works in IT with a primary focus on Mobile Device Management, M365 Apps, and Azure AD. He has certifications from CompTIA and Microsoft, and writes as a hobby.

View all posts by Smitty →