How to configure Extensible Single Sign-On (SSO) with MS Entra for Mac devices using SureMDM

The Extensible Single Sign-On (SSO) profile for Apple devices enables SSO capabilities for Microsoft Entra accounts on macOS, iOS, and iPadOS across all applications that support Apple’s enterprise SSO feature.This article explains how to configure Extensible SSO with MS Entra for macOS devices using SureMDM.

Purpose:

The purpose of this article is to explain how to configure Extensible Single Sign-On (SSO) with MS Entra for Mac Devices using SureMDM

Prerequisites:

1. Identity Provider (IdP): MS Entra configuration details
2. macOS Devices: Devices running macOS 11.0 or later.
3. Enrollment Type: Supported for both User Enrollment and Device Enrollment types

Step 1: Deploy the SSO Extension via SureMDM

1. Login to SureMDM Console:
   • Access your SureMDM solution and navigate to Profiles.
2. Select  macOS as platform
3. Select the Enrollment type:
   • Device enrollment / User Enrollment 
4. Select Extensible Single Sign-ON:
   • Configure the following:
     • Extension Identifier: Enter the below bundle identifier for the Company Portal app
       • com.microsoft.companyportal.sso
     • Team Identifier: Enter the below unique Team ID for the Company Portal app
       • UBF8T346G9
     • SSO Type: Select the SSO Type as Redirect
     • URLs: Enter the below URLs to configure MS Entra in the Extensible SSO payload. The following URLs must be allowed to for the SSO plug-in to function properly and it is published by Microsoft
       • https://login.microsoftonline.com
       • https://login.microsoft.com
       • https://sts.windows.net
       • https://login.partner.microsoftonline.cn
       • https://login.chinacloudapi.cn
       • https://login.microsoftonline.us
       • https://login-us.microsoftonline.com
     • Denied Bundle Identifiers (Optional): Enter the bundle ID for the apps that are restricted from using the SSO extension.
       • Requires macOS 12 or later. 
     • Screen Locked Behavior (Optional): Set how the SSO extension should handle requests when the screen is locked.
       • ‘Cancel’ stops authentication requests while “Do Not Handle” will allow requests without SSO. 
       • Requires macOS 12 or later.
     • ExtensionData (Optional): Enter a directory of arbitrary data to be passed to the app extension as key-value pairs 

For more details about the configurations mentioned above, please refer to the link below published by Microsoft with respect to SSO configuration in the following documents. Microsoft Extensible SSO Plug-in

Please find the screenshots for reference:

Configuring Extensive SSO for macOS devices with MS Entra using SureMDM enhances both security and user experience. By following the outlined steps, organizations can streamline authentication workflows and maintain centralized control over device access.

If you have any questions or need help with our products, please don’t hesitate to contact our support team.

CONTACT US