MacOS devices are registered in Azure AD. Enduser is logged on with a local account. You can leverage JAMF Connect to log in using an AAD account, but without this kind of third-party tool, local session is the way.
Eventhough the user affinity is established during the device enrollment, the enduser still use a local session at the end. Every apps or confs targetted on the user will be applied of course, but what about the enduser experience through the deployed applications ?
Unless you configure this SSO policy through Intune, enduser will face authentification screen on each app. That’s why we’re here for, to get rid of these screens.
In this post i leverage the Intune configuration to set the SSO.
First, deploy the company portal
Having the Company Portal installed on the device is necessary to get the SSO Plugin.
To install the Company portal on the mac, deploy it with Intune by downloading the .pkg file here
Use the file as it is and deploy it as a regular application.
The app is installed ? Now enduser will log into the company portal once, and he will be authenticated in every supported applications.
Company Portal is necessary. Once the user is logged into this app, it will provide the Microsoft Entreprise SSO Plugin for Apple devices. It’s all based on MSAL libraries to acquire a token used in all authentications.
As for the applications that don’t rely on MSAL, as Oauth2 or SAML for example, you allow these applications in the configuration profile deployed with Intune (next part). Microsoft explained how the interaction works with the client and Azure AD.
Deploy the Intune configuration profile
We’re gonna use Intune to configure the SSO extension. All the possibilities are listed in MS learn here
We use one configuration profile splitted in two steps. Go to Devices > macos > Configuration Profiles > Create > Device feature
First part of the configuration profile : Enable SSO extension
Company portal on Mac is named with his bundle id : com.microsoft.CompanyPortalMac.ssoextension
We’re gonna use it in the configuration profile :
That’s it. You enable the SSO Extension when the enduser will sign-in into the company portal.
Now the second part of the configuration profile
Notice down the SSO extension section, you have « Additional configuration ». This is where you’re gonna configure the SSO behavior through the multiple applications.
Again here, i’m refering to MS article to get my favorites configurations. Some of them are set by default but i write these down to make it clear :
Enable SSO on all managed applications :
Key : Enable_SSO_On_All_ManagedApps
Type : Integer
Value : 1
Prevent web (and native) apps to bypass SSO and request a sign-in credentials from the user :
Key : disable_explicit_app_prompt
Type : Integer
Value : 1
Allow every Microsoft applications to participate in the SSO process :
Key : AppPrefixAllowList
Type : String
Value : com.microsoft.
Allow applications that don’t rely on MSAL to participate in the SSO. These app will open Safari to acquire the token :
Key : browser_sso_interaction_enabled
Type : Integer
Value : 1
Enable or Disable MFA when the user sign-in. It’s up to you. Trust me, i love MFA but you might want to improve the experience and reduce the screens :
Key : browser_sso_disable_mfa
Type : Integer
Value : 0 to disable or 1 to force
Disable SSO on specific Apps :
Key : AppBlockList
Type : String
Value : com.microsoft.yourapp, com.apple.anotherapp
I get a configuration profile looking like this :
Assign the conf profile to your devices group.
EndUser experience
I’m using a 2020 Macbook Air running Ventura OS. It has been enrolled through ADE and Apple Business Manager in a coporate way. I imported the device using the Apple Configurator application.
First, i try to open any Microsoft application (Word in my example) on my Macbook Air. It requests my credentials :
I close the app without entering my credentials, i want to leverage my SSO configuration.
I open my company portal for the first time and login entering my account UPN and my password. First and last time the enduser tap his full credentials :
Done. Let’s open Word app once again and….. No credentials needed ! :
Let’s try something different with a login into office.com :
And Teams applications ? My account is recognized, just have to click on it.
I’m authenticated through my applications thanks to the my profile. Locally here it is :
OneDrive
I noticed a different experience on the onedrive application. I guess OneDrive might be categorized as a sensitive application regarding data and requires an additional protection ?
SSO profile is working good. My UPN is already there, but i still have to enter my password to login :
Sure, it’s a local session.
However, in my opinion, the experience is fine configuring SSO using Intune. You can go even further leveraging additional configurations. Please let me know which ones you found usefull to use ?
Tips : To name the application in your profile, you can get their bundle id using the osasscript -e command :
Poem to MDM 