MacOS login window + EntraID + Shared

[Matt Strickland]

Hi all,

Easier if I ask - does any one know if Entra ID logon from the MacOS login window is possible with Intune MDM only?

The documentation implies it is but the login window is not exposed in the same way other MDM tools do it.

https://learn.microsoft.com/en-us/entra/identity/devices/device-join-macos-platform-single-sign-on-multi-user-device

Especially the part that indicates:

macOS login screen configuration

To allow new users to log on and be created from the macOS login screen, there are two configurations that can be used:  Show Other Users Managed or  Show full name

I'm testing this and my local account on this shared device is synced so I can use my Entra ID credentials, but new users (eg students) currently cannot. I assume this is not ready to implement with Intune MDM only yet?

Matt

[Jono Hayes]

Hi Matt, 

You can use Apple PSSO with Microsoft Entra on macOS but this requires the local account to be created before PSSO is enabled. 

https://techcommunity.microsoft.com/blog/microsoft-entra-blog/now-generally-available-platform-sso-for-macos-with-microsoft-entra-id/4437424

https://learn.microsoft.com/en-us/entra/identity/devices/macos-psso

https://learn.microsoft.com/en-us/intune/intune-service/configuration/platform-sso-macos

I would wait until Microsoft Entra ID support ADE-PSSO/Simplified PSSO during setup assistant, this is in beta now/you can enable it. What this practically means, when you deploy a macOS device PSSO can set up the local account and keep the password in sync from the begging (similar end-user experience as Windows 11, Autopilot and Entra ID Joining a device). 

https://www.jamf.com/blog/macos-26-platform-sso-simplified-setup/

Also you will need to use Simplified PSSO if you want you to lab machines. 

[Matt Strickland]

Hi Jono,

Yes that's like the part still not in place "PSSO can set up the local account" - and yes I do want Simplified PSSO (which I have already created a profile for) + non user affinity.

If an option via Intune MDM without Jamf is a possible roadmap I'd be keen to try that. I don't need anything fancy, just want to move away from the reliance on AD or 3rd party tools.

Matt

[Sam McNeill]

I talked with the Apple tech team if they had any visibility on EntraID support for Simplified Sign On and they didn't, apart from saying MSFT are working on it, and that customers should get used to PSSO first (whcih works well). 

Okta support Simplified Sign On currently (not much use for schools in NZ!)

[Matt Strickland]

Thanks Sam,

Semi getting somewhere sticking with PSSO + non-affinity (forgoing CA) + first manual touch to register - now students can sign in as standard users and I can deploy updates/configuration profiles.

Only question now - has anyone deployed both PSSO and Kerberos SSO successfully?

I still have on-prem printing, but the default auth name of a user is studentschool.nz instead of stu...@school.nz (its dropping the @ for some reason) - yet I can see the login username in PSSO is correct (its the same signed in user of the device from the login screen) - the only place I see the @ dropped is the name of the home folder in /Users

Maybe a single setting I am missing - I will experiment more

Matt