Endpoint Services, Jamf Pro, macOS Single Sign-On (SSO) Extension Profile
Systems
Jamf Pro
Intended Audience
University of Illinois IT Pros leveraging Technology Services Endpoint Service Jamf Pro for macOS support
Actions
- General Information
- How does the single sign-on extension work?
- Why should I use the single sign-on extension?
- How do I use the single sign-on extension?
- Getting Connected
General Information
Apple's Kerberos single sign-on (SSO) extension for macOS allows users to seamlessly connect and authenticate to the campus Active Directory, without the need for binding to the domain. Devices must be managed with an MDM solution, such as Jamf Pro, in order to install the SSO extension configuration.
The SSO extension requires macOS 10.15 (Catalina) or higher.
How does the Single Sign-On extension work?
The SSO extension is essentially a Kerberos agent with a GUI interface. Once a user has signed in, the extension reestablishes a connection with Active Directory and the single sign-on trust upon each (re)connection to a campus network (VPN included).
Why should I use the Single Sign-On extension?
A Mac using the SSO extension, whether domain-joined or not, uses a campus NetID password as the login password (allowing the machine to be in compliance with university security standards) and leverages single sign-on capabilities, but isn't susceptible to locked login keychains and keychain sync issues following campus password changes.
Please note that SSO is only supported for one-to-one Mac deployments with a single primary user. It is not intended for shared or lab machines, and if deployed in such environments, may yield undesirable results.
Also note that users will still need to change any saved passwords in their login keychain after a password change -- e.g., email clients, MS Teams, browser settings, etc....
How do I use the Single Sign-On extension?
The extension configuration is available to Jamf Pro-managed Macs as a profile payload. Please contact the EPS team for profile access.
Getting Connected
After the SSO profile payload has been installed on the device, the primary user will sign in to finish the setup.
For Macs already bound to the AD, IT Pros may want to convert mobile accounts to local accounts. Apple recommends that existing mobile accounts be converted to local accounts, as password syncing works only with local accounts. Mobile accounts using the SSO extension will therefore still encounter keychain issues following campus password changes. Apple has directed us to a third-party script that can be used to convert mobile accounts to local accounts. EPS has not tested this script extensively, so it does carry a 'your mileage may vary' disclaimer. If you are interested in using this script, we recommend testing in your own environment before applying it to production machines.
Removing AD binding is optional, and may depend on a unit's IT support mechanism.