Skip to main content
Platform SSO is available for Mac computers

What is Platform SSO?

Platform SSO is a capability that allows users to sign in to their Mac devices using a hardware-bound key, smart card, or their IdP password. This feature enhances the Microsoft Enterprise SSO plug-in for Apple devices, providing single sign-on for Microsoft Entra ID accounts on macOS 14 and later.
Platform SSO with Microsoft Entra ID is currently in Preview. For more information, see Microsoft’s macOS Platform Single Sign-on overview.

Add and Configure the Company Portal Auto App

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.
1

Assign to Blueprints

Assign to your desired Blueprints.
2

Set Installation Method

Set your Installation Method to Continuously Enforce.
3

Specify Version Enforcement

Specify your Version Enforcement settings.
4

Save Library Item

Save your Library Item.

Add and Configure a Login Window Library Item

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.
1

Name the Library Item

Give your Login Window Library Item a Name.
2

Assign to Blueprints

Assign to your desired Blueprints.
3

Configure User Visibility

Under User Visibility, set the radio button for Display username and password fields.
4

Save Library Item

Save your Library Item.

Add and Configure a Single Sign-on Extension Library Item

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.
1

Name the Library Item

Give the new Library Item a Name.
2

Select platform

Select Mac as the Install on platform.
3

Assign to Blueprints

Assign to your desired Blueprints.
4
5

Select Extension type

Under Extension type, select Redirect.
6

Configure Extension identifier

For the Extension identifier, enter com.microsoft.CompanyPortalMac.ssoextension
7

Set Team identifier

Paste UBF8T346G9 into the Team identifier text box.
8

Configure URLs

Paste the following URLs into the URLs fields.
9

Add sovereign cloud URLs (optional)

Optionally, if using sovereign cloud domains, you will need to include additional URLs.
10
11

Enable Platform SSO

Toggle the switch for Platform SSO.
12

Select Authentication Method

Select your Authentication Method. For information on which method to use for your organization, refer to Microsoft’s support article.
13

Enable optional settings (macOS 15+)

Enable additional optional settings for macOS 15 and later as needed.
14

Set Existing Users permissions

Set default permissions for Existing Users.
15

Set New Users permissions

Set default permissions for New Users.
16

Enable Shared Device Keys

Check the box for Shared Device Keys.
17

Enable authorization with identity provider

Enable Allow authorization (with identity provider account). This will allow users to interact with system authorization prompts using their Microsoft Entra ID credentials.
18

Enable automatic local account creation (optional)

If you want to automatically create local accounts for users, enable Allow creation of new users at login.To create a local account, the device must be connected to the internet at the login screen with FileVault unlocked, and Iru must have a valid Bootstrap token for that device.
19
20

Enable device attestation (optional)

If checked, the device UDID and serial number will be included in Platform SSO attestations. Available in macOS 15.4 and later.
21

Enter Account display name

Enter an Account display name.
22

Set Require full login timeout

Specify the number of seconds after which to Require full login.
23

Configure Token mapping

In the Token mapping fields, enter preferred_username for the AccountName, and name for the FullName.
24
25

Configure Groups (optional)

If desired, configure Admin Groups, Additional Groups, and User Groups.
26
Microsoft currently only supports using static Standard and Admin values for new and existing users.
27
  • Admin groups are groups from Microsoft Entra ID that should have administrator access on the device. These groups are used to grant elevated permissions to specific users
  • Additional groups are custom groups you’d like to create in the device’s local directory. These groups can be used to organize users and apply specific settings or permissions
  • User groups are particularly useful, allowing you to map specific macOS system rights to custom groups created in the local directory. For example, you can use user groups to grant ‘sudo’ access or manage printer permissions
    • 28

    Save Library Item

    Save your configuration