Skip to main content
Platform SSO is available for Mac computers

What is Platform SSO?

Platform SSO is a capability that allows users to sign in to their Mac devices using a hardware-bound key, smart card, or their IdP password. This feature enhances the Microsoft Enterprise SSO plug-in for Apple devices, providing single sign-on for Microsoft Entra ID accounts on macOS.
For more information, see Microsoft’s macOS Platform Single Sign-on overview.

Add and Configure the Company Portal Auto App

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.
1

Assign to Blueprints

Assign to your desired Blueprints.
2

Set Installation Method

Set your Installation Method to Continuously Enforce.
3

Specify Version Enforcement

Specify your Version Enforcement settings.
4

Save the Library Item

Click the Save button.

Add and Configure a Login Window Library Item

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.
1

Name the Library Item

Enter a Name for your Login Window Library Item.
2

Assign to Blueprints

Assign to your desired Blueprints.
3

Configure User Visibility

Under User Visibility, select Display username and password fields.
4

Save the Library Item

Click the Save button.

Add and Configure a Single Sign-on Extension Library Item

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.
1

Name the Library Item

Enter a Name for the new Library Item.
2

Select Platform

Select Mac as the Install on platform.
3

Assign to Blueprints

Assign to your desired Blueprints.
Platform SSO with Microsoft Entra ID Library Item configuration interface
4

Select Extension Type

Under Extension type, select Redirect.
5

Configure Extension Identifier

For Extension identifier, enter the following:
com.microsoft.CompanyPortalMac.ssoextension
6

Set Team Identifier

Enter the following in Team identifier:
UBF8T346G9
7

Configure URLs

Paste the following URLs into the URLs fields.
https://login.microsoftonline.com

https://login.microsoft.com

https://sts.windows.net
Single Sign-on Extension Library Item extension details showing Extension type, Extension identifier, Team identifier, and URLs
8

Add sovereign cloud URLs (optional)

If you use sovereign cloud domains, include the following additional URLs.
https://login.partner.microsoftonline.cn

https://login.chinacloudapi.cn

https://login.microsoftonline.us

https://login-us.microsoftonline.com
Single Sign-on Extension Library Item showing optional sovereign cloud URL fields
9

Enable Platform SSO

Toggle the switch for Platform SSO.
10

Select Authentication Method

Select your Authentication Method. For information on which method to use for your organization, refer to Microsoft’s support article.
11

Enter Registration token (optional)

Optionally, enter your Registration token when your identity provider requires one. The Mac uses this value for Platform SSO registration with your identity provider, including silent registration when your identity provider and SSO extension support it.
Platform SSO authentication method and Registration token fields in the Single Sign-on Extension Library Item
12

Enable optional settings (macOS 15+)

Enable additional optional settings for macOS 15 and later as needed.
Platform SSO optional settings for macOS 15 and later
13

Set Existing Users permissions

Set default permissions for Existing Users.
14

Set New Users permissions

Set default permissions for New Users.
Platform SSO Existing Users and New Users permission settings
15

Enable Shared Device Keys

Select the checkbox for Shared Device Keys.
16

Enable authorization with identity provider

Enable Allow authorization (with identity provider account). This will allow users to interact with system authorization prompts using their Microsoft Entra ID credentials.
17

Enable automatic local account creation (optional)

If you want to automatically create local accounts for users, enable Allow creation of new users at login. To create a local account, the device must be connected to the internet at the login screen with FileVault unlocked, and Iru must have a valid Bootstrap token for that device.
Platform SSO Shared Device Keys, Allow authorization, and Allow creation of new users at login
18

Enable device attestation (optional)

If checked, the device UDID and serial number will be included in Platform SSO attestations. Available in macOS 15.4 and later.
19

Enter Account display name

Enter an Account display name.
20

Set Require Full Login Timeout

Specify the number of seconds after which to Require full login.
21

Configure Token Mapping

In Token mapping, enter the following for AccountName:
preferred_username
Enter the following for FullName:
name
Platform SSO Account display name, Require full login, and Token mapping fields
22

Configure Groups (optional)

If desired, configure Admin Groups, Additional Groups, and User Groups.
Microsoft currently only supports using static Standard and Admin values for new and existing users.
  • Admin groups are groups from Microsoft Entra ID that should have administrator access on the device. These groups are used to grant elevated permissions to specific users
  • Additional groups are custom groups you’d like to create in the device’s local directory. These groups can be used to organize users and apply specific settings or permissions
  • User groups are particularly useful, allowing you to map specific macOS system rights to custom groups created in the local directory. For example, you can use user groups to grant ‘sudo’ access or manage printer permissions
23

Save the Library Item

Click the Save button.

Enable Registration During Setup Assistant (macOS 26 and later)

Starting in macOS 26, Platform SSO can run during Setup Assistant so the Mac can register with your identity provider earlier in the enrollment flow. This section lets you configure registration during setup, first-user creation, profile picture sync behavior, and Authenticated Guest Mode for shared-device workflows.
When you deploy Platform SSO with Automated Device Enrollment, do not set Primary account type to Skip primary account creation in the Mac section of your Automated Device Enrollment Library Item. Setup Assistant is where the user sets the local account password. If you skip primary account creation, that step does not run, the password is never set, and enrollment can stall.Mac computers with Apple silicon and some other models store account credentials in the Secure Enclave. See Apple’s documentation for which devices include a Secure Enclave. Skipping primary account creation is for Passport workflows, not Platform SSO. See Primary account creation if you use Passport instead.
1

Open the existing Library Item

In the Library, open the existing Single Sign-on Extension Library Item you created earlier, click Edit, then go to the Mac macOS 26 and later section.
2

Set Enable registration during Setup Assistant

Select Yes for Enable registration during Setup Assistant so Platform SSO registration runs while Setup Assistant is still in progress.
3

Set Create first user during Setup Assistant

For Create first user during Setup Assistant, select Yes when the Mac should create its first local account during Setup Assistant using Platform SSO. If your organization provisions the first account differently, adjust this setting to match that workflow.
4

Set Synchronize profile picture

Configure Synchronize profile picture based on whether the Mac should request the user’s login profile picture from the SSO extension during this setup flow.
5

Set Enable Authenticated Guest Mode

Configure Enable Authenticated Guest Mode when you deploy shared Mac computers where users sign in temporarily with IdP credentials and want Authenticated Guest Mode behavior. For standard single-user Mac computers, leave this behavior off.
6

Set New user authentication methods

Under New user authentication methods, select the authentication methods available for newly created accounts.
7

Save the Library Item

Click the Save button.
8

Install Platform SSO Library Items during Automated Device Enrollment

In your Automated Device Enrollment Library Item, turn on Install Library Items during Setup Assistant for Mac. Add the Company Portal Auto App, Login Window, and Single Sign-on Extension Library Items you configured in this guide so they install during enrollment setup. See Install Library Items during Setup Assistant for the full details.
Automated Device Enrollment Mac section with Library Items selected for Install Library Items during Setup Assistant