Endpoint Services, Workspace ONE, macOS Single Sign-On (SSO) Extension Profile
Workspace ONE Unified Endpoint Management (UEM)
University of Illinois IT Pros leveraging Technology Services Endpoint Service Workspace ONE UEM for macOS support
- General Information
- How does the single sign-on extension work?
- Why should I use the single sign-on extension?
- How do I use the single sign-on extension?
- Getting Connected
- Transitioning from Apple Enterprise Connect
Apple's Kerberos single sign-on (SSO) extension for macOS allows users to seamlessly connect and authenticate to the campus Active Directory, without the need for binding to the domain. Devices must be managed with an MDM solution, such as Workspace ONE, in order to install the SSO extension configuration.
The SSO extension requires macOS 10.15 (Catalina) or higher. It replaces Apple Enterprise Connect, which is not supported beyond macOS 11 (Big Sur). You should uninstall Enterprise Connect from your Macs before leveraging the extension.
The SSO extension is essentially a Kerberos agent with a GUI interface. Once a user has signed in, the extension reestablishes a connection with Active Directory and the single sign-on trust upon each (re)connection to a campus network (VPN included).
A Mac using the SSO extension, whether domain-joined or not, can use a campus NetID password as the login password (allowing the machine to be in compliance with university security standards) and leverage single sign-on capabilities, but isn't susceptible to locked login keychains and keychain sync issues following campus password changes.
Please note that SSO is only supported for one-to-one Mac deployments with a single primary user. It is not intended for shared or lab machines, and if deployed in such environments, may yield undesirable results.
Also note that users will still need to change any saved passwords in their login keychain after a password change--e.g. email clients, Skype for Business, MS Teams, browser settings, etc....
The extension configuration is available to Workspace ONE-managed Macs as a profile payload. Please contact the EPS team for profile access.
After the SSO profile payload has been installed on the device, the primary user will sign in to finish the setup.
For Macs already bound to the AD, IT Pros may want to convert mobile accounts to local accounts. Apple recommends that existing mobile accounts be converted to local accounts, as password syncing works only with local accounts. Mobile accounts using the SSO extension will therefore still encounter keychain issues following campus password changes. Apple has directed us to a third-party script that can be used to convert mobile accounts to local accounts. EPS has not tested this script extensively, so it does carry a 'your mileage may vary' disclaimer. If you are interested in using this script, we recommend testing in your own environment before applying to production machines.
Removing AD binding is optional, and may depend on a unit's IT support mechanism.
- macOS 11 (Big Sur) is the last macOS version to support Enterprise Connect.
- Devices on macOS 10.14 and below (which do not support the SSO extension) may continue to use Enterprise Connect for the time being, as Apple has not yet announced an EOL date.
- For devices on macOS 10.15 and up, Apple recommends uninstalling Enterprise Connect first before deploying the SSO profile.