Device Compliance and Platform Single Sign-On with Microsoft and Jamf

Establishing identity has been important for humans for millennia. In our modern world, our online credientials help us establish our identities when accessing resources. Moving away from passwords and separating user identity from device identity — but requiring both — is fundamental for modern authentication. This helps organizations move toward a zero-trust enviornment that has passwordless logins and continuous compliance monitoring. In this JNUC session, Victor Vargas, Microsoft, and Ben Whitis, Jamf, show us the future of macOS device compliance with Jamf Pro and Microsoft Entra ID.

A new era for macOS device compliance with Jamf Pro and Microsoft Entra ID

At JNUC 2025, experts from Jamf and Microsoft detailed the evolution of macOS device compliance, focusing on a more secure, passwordless future. This shift centers on the integration between Jamf Pro and Microsoft Entra ID, which now leverages Apple's Secure Enclave for new device registrations via Platform Single Sign-On (PSSO). This partnership strengthens hardware-backed device identity, making Conditional Access more resilient to phishing and simplifying the user experience by providing a true single sign-on for the Microsoft 365 ecosystem on Mac.

• Hardware-backed device identity: New macOS registrations must use the Secure Enclave to store a cryptographic key, creating a phishing-resistant device identity for Conditional Access policies.

• True single sign-on: PSSO links the macOS login with a user's Microsoft Entra ID, eliminating password prompts for Microsoft 365 applications.

• Streamlined deployment: Administrators can enable this feature by deploying the Company Portal and a configuration profile through Jamf Pro, without needing to re-enroll existing devices.

What is changing with macOS device compliance?

For IT and Mac admins, the most significant change in the Jamf Pro and Microsoft integration is the move to hardware-backed device identity. As detailed by Victor Vargas of Microsoft, this modern approach emphasizes not just authenticating the user but also verifying the device itself. For all new Mac enrollments, this is achieved by using the Secure Enclave, a dedicated hardware security module built into Apple devices. When a Mac is registered with Microsoft Entra ID, a private key is generated and stored securely in the Secure Enclave, never leaving the device. This ensures that authentication requests for Conditional Access are coming from a trusted, registered piece of hardware, rendering stolen credentials far less useful to attackers.

This critical change only affects new device registrations. As Jamf's Ben Whitis clarified in the session, "for your existing user base...the plan is to support those through the life cycle of the device." This means administrators do not need to force their users to reregister. This new, more secure standard works with either a PSSO configuration or a Single Sign-On Extension (SSO-E), giving IT teams flexibility in their deployment strategy while still gaining the benefits of a hardware-backed device identity.

How does Platform SSO create a true single sign-on experience?

Platform SSO links the local Mac login with a user's cloud-based Microsoft Entra ID account, creating a seamless authentication flow that eliminates password fatigue and simplifies the experience admins must support. From the moment a user logs into their Mac, they gain access to the entire Microsoft 365 ecosystem — including apps like Teams, Outlook and OneDrive — without being repeatedly prompted for passwords. As shown in the session demo, the user simply logs in once, and subsequent access is handled silently in the background. This is the "passwordless experience" that modern IT environments strive for, enhancing productivity while simultaneously increasing security.

This flow is powerful because it ties the user and device identities together for every authentication request. The initial Mac login validates the user on that specific, hardware-verified device. Subsequent access requests to services use this established trust to grant access. The result is an experience that is both simple for the user and more secure for the organization. By requiring the physical device as part of the authentication process, this model effectively mitigates risks associated with the most common password-based phishing attacks, which, as Vargas noted, happen "by billions every single day."

What do I need to do to deploy this?

Admins can enable this modern authentication via Jamf Pro by:

1. Deploying Company Portal via policy or Jamf App Catalog

2. Configuring Platform SSO — your authentication method will vary based on your environment, though the Secure Enclave key is recommended on 1:1 machines

3. Checking PSSO registration status

The entire process is Mobile Device Management (MDM) agnostic, with Jamf Pro acting as the delivery vehicle for the necessary components. This allows IT admins to leverage their existing Jamf Pro infrastructure for a critical security upgrade. The Company Portal application can be deployed using its standalone installer, which always provides the latest version, or through the Jamf App Catalog, offering better version reporting and control.

Once the Company Portal is in place, the second step is deploying the configuration profile containing the PSSO payload. This profile defines the specific settings, such as the authentication method. The Secure Enclave key method is widely recommended for most environments and is the method Microsoft's documentation advises. For organizations managing shared Mac devices, it is crucial to use shared device keys. This ensures that multiple users can sign in to the same machine and benefit from the hardware-backed identity. After these components are pushed to devices, the authentication process occurs directly between macOS and Microsoft Entra ID, simplifying enrollment and access.

How can I verify compliance status with Secure Enclave?

A common concern among IT admins has been the visibility into the registration status of devices using Secure Enclave-based storage. Historically, this information was accessible via the login keychain, but with the move to Secure Enclave, direct access is no longer possible. To address this, Jamf is introducing a significant enhancement in the upcoming Jamf Pro 11.21.1 release: a new verb that will allow administrators to directly query the registration status for devices utilizing the Secure Enclave. This feature was a frequent request from the community, recognizing the need for clear visibility into a device's compliance and registration state for effective troubleshooting and auditing.

These attributes will enable administrators to immediately leverage this new capability, offering a reliable way to confirm that a device has successfully registered its hardware-backed identity and that its compliance state has been accurately reported to Microsoft Entra ID. This improved visibility ensures that IT teams can confidently manage Conditional Access policies and maintain a robust security posture across their macOS fleet.

Key takeaways

• The partnership between Jamf and Microsoft delivers a more secure and streamlined approach to macOS management and Conditional Access.

• By integrating Jamf Pro with Microsoft Entra ID and leveraging Platform SSO, organizations can achieve a true passwordless, zero-trust environment.

• This evolution enhances security by tying device identity to hardware via the Secure Enclave, simplifies the user experience by eliminating repetitive logins, and provides administrators with the flexible tools needed for modern deployment and management.

• These advancements are crucial for IT and Mac admins managing Apple devices in an enterprise setting.