Skip to main content
Iru Access installs a macOS single sign-on (SSO) extension - a Redirect-type Extensible SSO extension - that intercepts sign-ins to your Iru domains so people sign in seamlessly with their device-bound credential. For it to work, macOS must have approved the associated domains for the extension, which your MDM normally pushes as part of the Iru Access configuration profile. If sign-ins on a Mac aren’t being intercepted by Iru Access, the checks below confirm, in order, that the extension is installed, loaded, and that its associated domains are approved. They use Apple’s own command-line tools and are safe to run on an enrolled Mac.
This page is for diagnosing an existing deployment. To set the deployment up in the first place - the configuration profile, the app, and registration - see Deploy Iru Access.
Values used below. N5M3B34269 is Iru’s Apple Team ID - the same value in your Iru Access MDM profile - so the Iru Access App ID is always N5M3B34269.com.iru.Access. yourcompany.id.iru.com stands in for your organization’s Iru sign-in domain; your real output shows your actual domains.

1. Confirm the associated domains are approved

The most common cause of a non-working SSO extension is that macOS has not approved the associated domains. List every associated-domain approval on the Mac: 
sudo swcutil show
Look for an entry with Service authsrv, the Iru Access App ID N5M3B34269.com.iru.Access, and your Iru sign-in domain - one entry per domain your connection uses: 
--------------------------------------------------------------------------------
Service:              authsrv
App ID:               N5M3B34269.com.iru.Access
Domain:               yourcompany.id.iru.com
User Approval:        unspecified
Site/Fmwk Approval:   approved
Flags:                enterpriseManaged
Last Checked:         2026-05-24 21:27:52 +0000
Next Check:           2026-05-29 20:38:54 +0000
--------------------------------------------------------------------------------
What to check:
  • Site/Fmwk Approval: approved is the line that matters - it means Apple validated the domain association for the extension. denied, or a missing entry, means the association has not been validated yet.
  • Flags: enterpriseManaged indicates the domain was pushed by your MDM, as expected for a managed deployment. If it is missing, the configuration profile with the Associated Domains payload may not have reached this Mac.
  • There should be one entry per Iru domain your connection uses (a connection may include more than one). A missing domain points to an incomplete profile.

2. Confirm the extension is installed

List the Iru Access app extensions registered with macOS: 
pluginkit -v -m
You should see the SSO extension, with a leading + meaning it is enabled: 
+    com.iru.Access.SSOExtension(1.0)    8ACDABA9-0000-0000-0000-4E99DCF7F39D    /Applications/Iru Access.app/Contents/PlugIns/SSOExtension.appex
What to check:
  • A leading + means the extension is registered and enabled; a leading - means it is present but disabled.
  • No line at all means the Iru Access app is not installed, or its extension has not registered yet. Confirm the app is deployed and has been launched once.

3. Confirm the system loaded the extension

Stream the system’s SSO extension manager and look for Iru Access being loaded: 
log stream --debug --predicate 'category contains "SOExtensionManager"'
A healthy system logs the Iru extension as loaded (output similar to): 
AppSSOAgent: (AppSSO) [SOExtensionManager] loadedExtensionWithBundleIdentifer:
  com.iru.Access.SSOExtension => <SOExtension bundleID=com.iru.Access.SSOExtension,
  path=/Applications/Iru Access.app/Contents/PlugIns/SSOExtension.appex>
Any other single sign-on extensions installed on the Mac appear in the same list; the one that matters here is com.iru.Access.SSOExtension.

4. Watch approvals and sign-in activity live

Two live streams help when an approval is slow to land, or when a sign-in is not being intercepted. Associated-domain checks - watch macOS schedule and record domain approvals: 
sudo swcutil watch --verbose
The SSO agent - watch the process that runs the extension during sign-in: 
sudo log stream --debug --process AppSSOAgent
When the associated domains are not yet approved, the agent logs messages like these, which point straight at the cause: 
com.iru.Access.SSOExtension hasAssociatedDomainsApproved = 0

Associated domain: validation failed for the SSO extension
com.iru.Access.SSOExtension because it has no approved associated domains; it will
be checked again when the extension is next used.
hasAssociatedDomainsApproved = 0 means the domains are not approved yet. Once approval lands, these errors stop and sign-ins to your Iru domains are intercepted by Iru Access.

Common causes and fixes

SymptomLikely causeFix
No authsrv entry in swcutil showThe Associated Domains payload did not reach the MacRe-deploy the Iru Access configuration profile from your MDM and confirm it is scoped to the device.
Entry present but Site/Fmwk Approval is not approvedmacOS has not validated the domain association, or the domain is wrongConfirm the domain matches your Iru domain exactly, ensure the Mac can reach it over the network, then trigger a sign-in and re-check.
Flags missing enterpriseManagedThe domains were not pushed by MDMUse the MDM-delivered profile (managed deployment) rather than a hand-built one.
hasAssociatedDomainsApproved = 0 in AppSSOAgentDomains not approvedResolve the associated-domain approval above. macOS re-checks periodically and when the extension is next used.
Extension missing from pluginkit -v -mIru Access not installed, or never launchedDeploy the app and launch it once so the extension registers.
After fixing a profile, approvals do not always refresh instantly. Trigger a sign-in to one of your Iru domains to prompt macOS to re-check, then re-run sudo swcutil show.

Where to go next

Deploy Iru Access

Set up the configuration profile, the app, and registration.

MDM connections

The connection that pushes the profile and makes a device count as managed.

Device trust

Require managed, healthy devices as a condition of access.

Authenticators

How Iru Access fits alongside passkeys as an authenticator.