Endpoint Services, Jamf Pro, Platform Single Sign-on

Information on macOS Platform Single Sign-on (PSSO).

Systems

Jamf Pro

Affected Customers

University of Illinois IT Pros leveraging Technology Services Endpoint Services Jamf Pro

Actions

General Information

Apple and Microsoft have partnered to provide an integrated identity experience on macOS through the Platform Single Sign-On (PSSO) framework. This feature allows users to authenticate with their Microsoft Entra ID credentials, synchronize their Mac login password with their university credentials, and access Microsoft 365 and other services without repeated sign-ins.

Note: Apple and Microsoft are actively developing Platform Single Sign-On. IT professionals should anticipate ongoing changes to supported functionality, enrollment workflows, and feature availability as the solution matures.

Prerequisites

  • macOS 15 or later (macOS 26 and later will be required for Simplified Setup)
  • Microsoft Company Portal app version 5.2404.0 or later installed
    • This is automatically installed on all Macs enrolled in Jamf Pro
  • Jamf Pro Platform SSO profile deployed
    • IT Pros may request the EPS team to deploy a Platform SSO configuration profile to their managed Macs

PSSO Setup (Manual Registration)

Once prerequisites are met, macOS will display a notification prompting the user to register their computer with Microsoft Entra ID. The registration process is straightforward and does not require administrator privileges.

  1. While logged into the primary user's local account, click the Registration Required notification when it appears.
    MacOS "Registration Required" notification that states to use your identity provider password to login and use your Mac.
  2. The primary user signs in with their university email address and password, completing the MFA prompt when required.
  3. Upon successful authentication, macOS links the local user account with the user's university credentials, synchronizing their Mac login password with their NetID password. The Mac is also Microsoft Entra-joined and the computer becomes associated with the authenticated user in Microsoft Entra ID.
  4. After registration completes and the computer performs an inventory update with Jamf Pro, subsequent app and browser authentication will occur automatically for configured applications (e.g., Microsoft 365, Teams, Outlook, OneDrive, Jamf Pro Self Service+, etc.).

Caveats and Known Limitations

  • The macOS user account used to complete PSSO registration must belong to the same user whose university credentials are used, as password synchronization applies only to the account logged-in during PSSO registration. 
  • The Entra ID user object used during PSSO registration becomes associated with the computer record in Microsoft Entra ID.
  • Users with multiple accounts may find that single sign-on automatically authenticates as the registered user in certain apps or browsers.
  • Some features are not currently available as Apple and Microsoft are still developing them:
    • Entra ID group-based administrative access
    • Automated PSSO registration during initial computer setup

Testing and Verification

After Platform SSO configuration and registration are complete, IT Pros can verify PSSO functionality using any of the following methods:

  • Test app SSO logins: Launch Microsoft 365 apps (Outlook, Teams, OneDrive), browser-based resources, or other apps configured by the SSO profile. Verify that sign-in occurs automatically without credential prompts.
  • Verify within the System Settings App: Within the System Settings app, navigate to Users and Groups. Click the Edit button under Network Account Server. The user should see a Platform Single Sign-on header with "Mac SSO Extension" and a green dot next to "Registered" listed.
  • Verify Entra ID association: In the Microsoft Entra ID admin portal, confirm that the device object is listed and associated with the correct user account.
    • Note: If a device previously completed PSSO registration, duplicate Entra ID objects may appear for the same Mac.

Authenticated Guest Mode

Beginning with macOS 26, Apple introduced Authenticated Guest Mode, which enables temporary login sessions authenticated through Platform SSO. This allows users to sign in with their university credentials on a shared Mac without creating a persistent local account or home directory, while still benefiting from SSO integration and access to organizational resources. Currently, Authenticated Guest Mode only supports manual PSSO registration.

Submit a support request to the Endpoint Services team for assistance configuring PSSO Authenticated Guest Mode on managed Macs.

Simplified Setup (Automated Registration)

Microsoft Entra ID does not yet support Simplified Setup. Until support is added, users must complete PSSO registration manually. See PSSO Setup (Manual Registration) above.

With the release of macOS 26, Apple added a new Platform SSO feature called Simplified Setup, which automatically completes Entra ID registration during the initial macOS Setup Assistant workflow. During first-boot setup, users are prompted to sign in with their university credentials, establishing Platform SSO before users reach the desktop.

Contact the EPS team


Keywords:
endpoint EPS mdm jamf pro "jamf pro" mac macOS TechS-EPS-Jamf psso sso platform single sign-on "authenticated guest mode" 
Doc ID:
156873
Owned by:
EPS Distribution List G. in University of Illinois Technology Services
Created:
2025-11-20
Updated:
2025-12-08
Sites:
University of Illinois Technology Services