Unexpected behavior: Microsoft Entra ID Platform Single Sign-On and Device Compliance

What is Platform Single Sign-On?

Introduced in macOS 13.0 Ventura, Platform Single Sign-On extension (PSSOe) is a framework built into macOS to sync a user’s local Mac password with a cloud identity provider password. Updates to the framework were added by Apple in macOS 14.0 Sonoma to add support for logging into the Mac with a cloud identity provider password.

PSSOe requires the support of the cloud identity provider, a companion application written by the provider and a configuration profile deployed to the device via mobile device management (MDM).

PSSOe builds on the existing Single Sign-On extension (SSOe) which improves the user experience by obtaining tokens to access services on behalf of the user. The net result is a user logs into one service gated by the cloud identity provider once, and the companion application handles getting tokens for the user without prompting them for credentials. It turns Single Sign-On into really one-time sign on, not type the same credentials 27 times a day.

Microsoft Company Portal and PSSOe

The companion application used by Microsoft’s implementation of SSOe is the Microsoft Company Portal app. This app also handles the device registration required by Microsoft Entra Conditional Access to determine if a device is in a managed and compliant state to access additional cloud resources gated by Entra ID.

During the week of March 18, 2024, Microsoft released version v5.2401.2 of the Company Portal app. This public version appears to inadvertently include support for the undocumented private preview of PSSOe that Microsoft is offering to select customers for non-production testing.

Jamf Pro has contained support for the Platform Single Sign-On extension deployment since the release of macOS Ventura in October of 2022. However, up to this point, enabling the feature in the configuration profile did nothing — the companion support from Microsoft was not available. If an organization administrator enabled the feature inadvertently, the update of the Company Portal application enabled PSSOe. End users were prompted to log in to Microsoft Entra to enable the feature. Subsequently, devices fell out of compliance.

When the user is prompted for the Microsoft Entra ID password, end-users’ local passwords will be changed to the Entra password. The user may be confused of what their local password is after enabling this feature.

Remediation

While this only affects users who are using Device Compliance at this time, all customers are advised to check configurations and look if the unsupported preview feature may be enabled in their fleet unexpectedly.

Check configuration profiles in Jamf Pro

PSSOe settings are found in computer-based configuration profiles with the payload type of “Single Sign-On Extensions”.

In the optional setting section of the payload, administrators will find an option for Platform Single Sign-On. Verify that the option is DISABLED (not included) in the configuration.

Do not remove the SSOe payload from the devices, only the Platform SSO option from the payload. Removing the SSOe payload may result in the user being required to manually re-enroll the device.

If you need to make changes to your configuration profile, when prompted for “Redistribution Options”, select the option to “Distribute to All” to update the configuration on existing devices.

Update device registration state of affected devices

Create a Jamf Pro Computer Policy that will run a command as the user to re-register the computer. This policy can be configured to be run by the user in Self Service or run once per computer at the recurring check-in trigger. The policy can run a single command with the “Files and Processes” payload and update the device inventory.

The command to be executed must be entered exactly as:

Use Self Service to re-register computer with Device Compliance

It is possible, but unlikely, that the device registration state does not automatically come back into compliance after the remediation policy has ran and the end-user has authenticated successfully. In the rate event this is the case, instruct the end-user to re-run the registration policy in Jamf Self Service policy to completely re-register the device with Microsoft.

Warning: Platform SSO is in private preview

Platform Single Sign-On support is currently in private preview from Microsoft. Public documentation is not available at this time. Administrators that inadvertently deployed this feature in production are highly recommended to disable the feature to avoid unexpected behavior until release. For more details on the feature from Microsoft, see their blog post.

It is strongly discouraged to use Microsoft's Platform SSO in production right now. The following is intended to help administrators understand what the expected behavior is today, and how things will look moving forward. This information is intended to assist with testing scenarios only.

What happens when a user signs in to Microsoft Platform SSO?

• The local macOS user account password is synced with Entra ID
• If the machine was registered via the Jamf Pro Device Compliance or Conditional Access integration:
  • The Workplace Join key is removed from the user’s login keychain
  • The existing “Microsoft Entra registered” computer record in Entra ID is deleted
• A new “Microsoft Entra joined” computer record is created in Entra ID
  • This new record will have a compliance status of “N/A” until compliance data is sent through the Jamf Pro integration

gatherAADInfo

JamfAAD has a recurring silent authentication, referred to as gatherAADInfo, that performs a user authentication against Entra ID to collect the user and device IDs and send them to Jamf Pro. All we need to do to send compliance data against the new record is to either wait for a recurring gatherAADInfo to run (once every two hours unless the computer is deactivated), or call it as the logged in user like this:

If this command is being run via a policy either in Self Service or recurring check-in, it needs to be run as the logged in user as shown in the example above:

After a gatherAADInfo completes, Jamf Pro will send compliance data to the new record in Entra ID, marking it compliant/non-compliant (depending on smart group membership in Jamf Pro).

Future updates

Because the Microsoft feature has not been fully released, there is an unexpected behavior with a gap in timing between when the user signs in to Microsoft’s implementation of Platform SSO and when Jamf Pro sends compliance updates for the new Device record in Entra ID. Because users will not be able to meet Device Compliance requirements during this time, it is important to make that gap as short as possible.

Engineering teams on the Jamf Pro team are aware of the situation and will include support for Microsoft Device Compliance and Platform Single Sign-On before it is released to the public.

Until that time of public release, organizations participating in the private preview of Microsoft Platform SSO with device compliance will need to either wait for the recurring gatherAADInfo to run, or set up a policy to run a gatherAADInfo from Self Service after signing in to Platform SSO.

As always, testing of unreleased features should only be performed on non-production test machines.