Jamf After Dark: Platform SSO vs good old SSO we all know

Join co-hosts Kat Garbis and Sean Rabbitt to learn about Platform Single Sign-On (SSO) and Jamf Connect.

February 27 2024 by

Hannah Hamilton

In this episode, Sean Rabbitt acts as both co-host and identity expert to enlighten us about the history of Platform Single Sign-On (SSO), its benefits and how it relates to Jamf Connect. Then, Garbis and Rabbitt take a deeper dive into Jamf Connect.

Platform SSO

The history of Apple SSO

The episode begins with a brief history of SSO on Apple devices. Single Sign-On has existed on Apple devices for a while. It started when Apple released Enterprise Connect, where admins could purchase an app that granted Kerberos tickets from on-premises Active Directory instances. Next came NoMAD, an open-source tool for SSO. Then, Apple included the Kerberos SSO extension within the operating system (OS).

Eventually, Apple released Enterprise SSO, which allowed users to log in with their cloud identity providers (IdP) — this feature took over four years for cloud IdPs to support. Platform SSO (PSSO) was announced at WWDC 2022 and has since been implemented in macOS, though does not have full support from cloud IdPs.

What is Platform SSO?

Like your typical implementation of SSO, Platform SSO uses an app for authentication into your applications and uses your cloud IdP credentials. PSSO takes this one step further by syncing your cloud identity with your local Mac password; in other words, if you log into your computer, you are able to log into your other apps. The ultimate goal is to make it easier to log into anything once you log into your Mac.

Rabbitt emphasizes that this does not mean that your computer replaces passwords, but essentially turns your computer into a factor of authentication (something you have). Discussing PSSO with your identity and networks teams can help you decide the most secure login method for your organization’s security policies. PSSO is optional, and can only be implemented via a Mobile Device Management (MDM) solution.

Where does Jamf Connect fit in?

If your cloud IdP doesn't support PSSO, Jamf Connect fills in this gap.

But Jamf Connect goes beyond this. It is able to create user accounts and link this local account password to a cloud IdP — something PSSO is not design or intended to do. Since you have to have a local user account before using PSSO, there’s no zero-touch implementation using it alone.

Jamf Connect also handles password sync differently than PSSO. PSSO checks the password every four hours, upon waking from sleep and theoretically any time you log into a service gated by your IdP. It does not notify users when their IdP password is changed. By default, Jamf Connect checks passwords every 60 minutes, prompts a user to change their local password if it doesn’t match their network password.

Incidentally, if you changed your IdP password on a different device, if you’re using PSSO, you will be able to log into your computer using either password — listen to the episode for more information on this quirk.

Where should we go from here?

Rabbitt encourages using regular SSO because:

  • It’s stable and currently supported
  • It makes enrolling computers into device compliance policies with Microsoft Entra ID simpler
  • You can sign into your apps with cloud IdPs
  • You can require biometrics to access certain apps

Jamf Connect works in parallel with regular SSO by:

  • Creating local Mac accounts for first-time set up
  • Notifying the user about their device setup
  • Keeping local and cloud IdP passwords in sync
  • Obtaining Kerberos tickets

Jamf Connect

In the second part of the episode, Garbis and Rabbitt explore some identity features in Jamf Connect.

Offline Multifactor Authentication

When asked what the “most underused feature” of Jamf Connect is, Rabbitt mentions Offline Multifactor Authentication (MFA). Offline MFA allows users to obtain a one-time password through an authentication app without needing a connection to an identity provider — no internet connection required. This is currently the only way on Mac to force login MFA, a requirement that cybersecurity insurance companies are increasingly mandating.

Zero-touch setup

In a similar vein, Garbis asks Rabbitt about the “greatest pain point” he’s seen Jamf Connect solve. He calls out zero-touch setup as one of the most popular features. Places like schools with shared labs like to use this feature to set up, reset and configure these devices without having to touch the device.

Some interesting use cases

Rabbitt mentions a couple of interesting ways he’s seen organization’s use Jamf Connect, including some transient user accounts on Mac minis and a company with “Fort Knox-level security” — listen to the episode to learn more!

Gain access to all the Jamf After Dark podcasts today!