Reduce app sign-in prompts with SSO on macOS using settings catalog in Intune

-
 

The Microsoft Enterprise SSO plug-in provides single sign-on (SSO) to apps and websites that use Microsoft Entra ID for authentication, including Microsoft 365. This plug-in uses the Apple single sign-on app extension framework and it reduces the number of authentication prompts users get when using devices managed by Intune. I recently blogged about configuring SSO plug-in for iOS devices and wanted to cover a part of the SSO configuration for reducing Microsoft Entra ID sign-in prompts on a macOS, with a focus on Microsoft 365 apps using Intune. My test device is already enrolled, installed with Company Portal app and I manually changed its ownership to Corporate.

What are the pre-requisites?

- The device is managed by Intune.
- macOS 10.15 and newer
- The Microsoft Company Portal app must be installed and configured on the device.

Intune Configuration

There are multiple configurations needed for this to work -

a. Extensible Single Sign-on (SSO) settings catalog

2. Browse to Devices –> Configuration
3. Click Create -> New Policy
4. Select Platform as macOS
5. Select Profile type as Settings catalog
6. Provide a Name and hit next.
7. Click on Add settings.
8. Configure the following -

Team Identifier - UBF8T346G9
Extension Identifier - com.microsoft.CompanyPortalMac.ssoextension
Type - Redirect
URLs:

https://login.microsoftonline.com
https://login.microsoft.com
https://sts.windows.net
https://login.partner.microsoftonline.cn
https://login.chinacloudapi.cn
https://login.microsoftonline.us
https://login-us.microsoftonline.com









9. Assign to the macOS devices as normal.

b. Microsoft Office 365 settings catalog

2. Browse to Devices –> Configuration
3. Click Create -> New Policy
4. Select Platform as macOS
5. Select Profile type as Settings catalog
6. Provide a Name and hit next.
7. Click on Add settings.
8. Configure the following -

Enable automatic sign-in - True
Office Activation Email Address - {{userprincipalname}}


9. Assign to the macOS devices as normal.

c. Microsoft 365 Apps

There are multiple ways of installing Microsoft 365 apps on macOS devices, but the preferred way is to do it via Microsoft Content Delivery Network. It can be easily setup using the built-in app in Intune.

1. Open the Microsoft Intune admin center and select Apps > macOS > Add
2. Under Select App Type, choose Microsoft 365 Apps > macOS


3. Adjust the Suite description details as required and click Next to continue.


4. Assign to macOS devices as normal.

Test results

When Microsoft 365 and Company Portal apps are detected as installed, Intune deployed policies  including SSO extension, will get applied. When the user signs into theses supported apps, SSO get will get configured. To validate whether the policies have first applied or not, head over to Settings>Privacy and Security > Profiles and verify for the com.apple.extensiblesso profile as shown below.



SSO should configure and enable in Company Portal as well once the user signs-in.



When a user opens an office application, the sign-in should be automatic without any prompts.


SSO should work through Safari browser as well. I tested for portal.office.com using an Inprivate session and the authentication was seamless.


Final Thoughts..

Microsoft Single Sign-on (SSO) extension is still in preview and with that comes own set of limitations. For example, SSO still doesn't support Chrome and Firefox, but this is largely due to lack of integration of with MSAL. You do have the option to whitelist the domains entirely as a workaround, but that will not be a true SSO experience. Until next time..

References:

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more