Using a Workspace ONE profile to enable and configure the macOS single sign-on extension.
Workspace ONE Unified Endpoint Management (UEM)
University of Illinois IT Pros leveraging Technology Services Endpoint Service Workspace ONE UEM for macOS support
Apple's Kerberos single sign-on (SSO) extension for macOS allows users to seamlessly connect and authenticate to the campus Active Directory, without the need for binding to the domain. Devices must be managed with an MDM solution, such as Workspace ONE, in order to install the SSO extension configuration.
The SSO extension requires macOS 10.15 (Catalina) or 11 (Big Sur), though currently does not work properly on macOS 12 (Monterey). It replaces Apple Enterprise Connect, which is not supported beyond macOS 11 (Big Sur). You should uninstall Enterprise Connect from your Macs before utilizing the extension.
The SSO extension is essentially a Kerberos agent with a GUI interface. Once a user has signed in, the extension reestablishes a connection with Active Directory and the single sign-on trust upon each (re)connection to a campus network (VPN included).
A Mac using the SSO extension, whether domain-joined or not, can use a campus NetID password as the login password (allowing the machine to be in compliance with university security standards) and leverage single sign-on capabilities, but isn't susceptible to locked login keychains and keychain sync issues following campus password changes.
Please note that SSO is only supported for one-to-one Mac deployments with a single primary user. It is not intended for shared or lab machines, and if deployed in such environments, may yield undesirable results.
Also note that users will still need to change any saved passwords in their login keychain after a password change--e.g. email clients, Skype for Business, etc....
The extension configuration is available to Workspace ONE-managed Macs as a profile payload. Please contact the EPS team for profile access.
After the SSO profile payload has been installed on the device, the primary user will sign in to finish the setup.
For Macs already bound to the AD, IT Pros may want to convert mobile accounts to local accounts. Apple recommends that existing mobile accounts be converted to local accounts, as password syncing works only with local accounts. Mobile accounts using the SSO extension will therefore still encounter keychain issues following campus password changes. Apple has directed us to a third-party script that can be used to convert mobile accounts to local accounts. EPS has not tested this script extensively, so it does carry a 'your mileage may vary' disclaimer. If you are interested in using this script, we recommend testing in your own environment before applying to production machines.
Removing AD binding is optional, and may depend on a unit's IT support mechanism.