intune Platform SSO for macOS

[Matt Strickland]

Hi all,

Is anyone here using Platform SSO for the mac's to either use password (Entra credentials) or Secure Enclave (local unsynced password)?

I'd like to get our future Tela Mac's using Platform SSO, but users are still synced from local AD, with a password policy. From what I read that has issues with SSO password sync. But with Secure Enclave could this mean a forgotten local password cause issues in the future / locked out etc.

I currently have 10001 errors deploying the policy but it could be because of the password policy issue or that this is a Tela device with user affinity and that the profile needs to be assigned to the user.

Matt

[Matt Strickland]

FYI all going in the end - just one error in the setup of the Platform SSO configuration profile (somehow missed the 'SSO type' should be set to redirect)

Currently testing the Secure Enclave method (preferred) for Windows Hello like SSO, seems to work fine for everything Entra in Safari/Edge.

Teachers deployed as a local standard user as part of the deployment profile, with a local admin (rotating password)

Post deploy after the company portal script has finished, teachers are asked prompted for single sign-on registration.

So just an error on my part. Ill look to deploy to one device this week and see how it goes.

Matt

[Sam McNeill]

Hi Matt,

I had meant to reply to this but got overlooked ... Yes, I've had PSSO + Intune + Entra working wtih Secure Enclave.

I also integrated Passkeys into it for a passwordless experience and it worked pretty well.

It's great to see Apple doing more work with PSSO and various IdP integrating into it as well.

[Matt Strickland]

Thanks Sam,

I have PSSO, Intune/Entra with Secure Enclave and passkeys working.

This was deployed with user affinity so with all of the above I was unable to log in as a different Entra user. Just the Apple spinning wheel.

Its not a big deal, I can manually create another standard local account then register that account. Since its a single user device I've got some time to see if PSSO is somehow breaking it (I doubt being its a post/user policy) or I've read if the first logon standard user as MFA which they always will be (a teacher)...

At least all the Company Portal scripts and apps work. I'm still a little hesitant with the Transfer from an old mac to new with this enrolment. Our OneDrives have been a mess in the past (esp when we changed school/tenant name, that really messed up sync!)

I just hope its less work, and less reliance on local AD (I still use NoMAD on our old mac's for kerberos tickets) so I'm happy to see the integration here. Next is to test without user affinity for a lab setup. Pretty sure this will have some issues.

Matt