Skip to main content
Site Search
  1. Home
  2. Blog
  3. Modern Identity Management With Microsoft Entra ID, Platform Single Sign-On and Jamf Pro

Modern Identity Management With Microsoft Entra ID, Platform Single Sign-On and Jamf Pro

In this JNUC session, discover what Platform Single Sign-On is, what it can do and how it can be implemented, along with your identity provider and MDM solution to create phishing-resistant credentials. Additionally, learn about some of the best practices to help get organizations on the right track to maximize security protections without compromising the user experience.

October 8 2024 by

Jesus Vigo

JNUC session title card

What is Platform Single Sign-On (SSO)?

Before diving into the explanation of Platform SSO and what it can do, Michael Epping takes a moment to go over enterprise identity options throughout the history of macOS, beginning with:

  • LDAP binding (OS X 10.5)
  • Kerberos SSO (macOS 10.15)
  • Extensible SSO (macOS 10.15)
  • Jamf Connect (Multiple macOS versions)

Announced for macOS 13.0, Platform SSO represents the latest iteration of enterprise identity options. Epping goes on to state that it is a framework designed by Apple and built into macOS that manages local account credentials through a combination of MDM and an Identity Provider (IdP) vendor plugin. It is a modern replacement for joining devices to Active Directory (AD). Additionally, it supports multiple authentication modalities, including:

  1. Password sync with Entra ID
  2. SmartCard
  3. Secure Enclave Key

Deploy with Jamf Pro

Switching gears to Sean Rabbit, this portion of the session begins with an explanation of what Platform Single Sign-On Enabled (PSSOe) is not. Specifically, Rabbit highlights the following key points:

  • Passwordless authentication for FileVault or macOS
  • Multi-factor Authentication (MFA) for FileVault or macOS logins
  • Enabled via any Zero-Touch onboarding workflows

Rabbit goes on to clarify that the only passwordless authentication workflow Apple provides for macOS is through the use of a smart card with PIV, as shown in the demo presented earlier in the session by Epping, detailing the workflow required to register devices to make use of PSSOe.

With the expectations set, Rabbit highlights that integrating Microsoft Entra ID and Jamf offers a PSSOe solution that is simple to:

  • deploy with Jamf Pro
  • keep updated with Jamf App Catalog
  • track usage with Extension Attributes

Best practices

During the final third of the session, presenter Johan Ohlén doubles down on security by stating the first best practice: deploy Secure Enclave key. Why does Ohlén recommend this as a best practice?

Deploy Secure Enclave key

“Defenses erode over time. MFA is the bare minimum…today.”

The quote above speaks to implementing phishing-resistant credentials and their criticality to keep devices, users and data safeguarded in light of the continued growth of sophisticated attacks that seek to compromise credentials and breach networks.

Align password management for macOS

Ohlén recommends admins look at macOS devices as they would iOS-based devices when it comes to deploying Secure Enclave. At a minimum, Ohlén says, “follow Apple’s minimum requirements when Apple Wallet or Passkeys are enabled.” This means enforcing a 6-digit numeric passcode. Other recommended minimum requirements are:

  • 6-8 characters
  • Numeric-only allowed
  • No expiration
  • Biometric allowed
Tags: