Reduce app sign-in prompts with SSO on macOS using settings catalog in Intune

 

The Microsoft Enterprise SSO plug-in provides single sign-on (SSO) to apps and websites that use Microsoft Entra ID for authentication, including Microsoft 365. This plug-in uses the Apple single sign-on app extension framework and it reduces the number of authentication prompts users get when using devices managed by Intune. I recently blogged about configuring SSO plug-in for iOS devices and wanted to cover a part of the SSO configuration for reducing Microsoft Entra ID sign-in prompts on a macOS, with a focus on Microsoft 365 apps using Intune. My test device is already enrolled, installed with Company Portal app and I manually changed its ownership to Corporate.

What are the pre-requisites?

- The device is managed by Intune.
- macOS 10.15 and newer
- The Microsoft Company Portal app must be installed and configured on the device.

Intune Configuration

There are multiple configurations needed for this to work -

a. Extensible Single Sign-on (SSO) settings catalog

2. Browse to Devices –> Configuration
3. Click Create -> New Policy
4. Select Platform as macOS
5. Select Profile type as Settings catalog
6. Provide a Name and hit next.
7. Click on Add settings.
8. Configure the following -







9. Assign to the macOS devices as normal.

b. Microsoft Office 365 settings catalog

2. Browse to Devices –> Configuration
3. Click Create -> New Policy
4. Select Platform as macOS
5. Select Profile type as Settings catalog
6. Provide a Name and hit next.
7. Click on Add settings.
8. Configure the following -

Enable automatic sign-in - True
Office Activation Email Address - {{userprincipalname}}


9. Assign to the macOS devices as normal.

c. Microsoft 365 Apps

There are multiple ways of installing Microsoft 365 apps on macOS devices, but the preferred way is to do it via Microsoft Content Delivery Network. It can be easily setup using the built-in app in Intune.

1. Open the Microsoft Intune admin center and select Apps > macOS > Add
2. Under Select App Type, choose Microsoft 365 Apps > macOS


3. Adjust the Suite description details as required and click Next to continue.


4. Assign to macOS devices as normal.

Test results

When Microsoft 365 and Company Portal apps are detected as installed, Intune deployed policies  including SSO extension, will get applied. When the user signs into theses supported apps, SSO get will get configured. To validate whether the policies have first applied or not, head over to Settings>Privacy and Security > Profiles and verify for the com.apple.extensiblesso profile as shown below.



SSO should configure and enable in Company Portal as well once the user signs-in.



When a user opens an office application, the sign-in should be automatic without any prompts.


SSO should work through Safari browser as well. I tested for portal.office.com using an Inprivate session and the authentication was seamless.


Final Thoughts..

Microsoft Single Sign-on (SSO) extension is still in preview and with that comes own set of limitations. For example, SSO still doesn't support Chrome and Firefox, but this is largely due to lack of integration of with MSAL. You do have the option to whitelist the domains entirely as a workaround, but that will not be a true SSO experience. Until next time..

References:


Comments

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Prevent users from running certain programs or applications on Windows endpoints using Intune

Intune: Configure Printers for Non-Administrative Users