What is SSO?
SuperOps SSO Configuration lets you connect your managed Mac fleet to Microsoft Entra ID so users sign in once with their work credentials and are automatically authenticated across every connected app and service. It combines two capabilities: Extensible SSO, which handles app authentication after login, and Platform SSO, which syncs the Mac login window with Entra ID so users sign into their Mac with their work password.
For a full overview of how Platform SSO and Extensible SSO work together, refer to Apple's Platform SSO documentation.
Before you begin
Your client's active Microsoft Entra ID tenant with users already configured
Macs enrolled in SuperOps MDM and supervised via Apple Business Manager
macOS 14 or later on managed devices
No configuration is required in the Azure portal before setting up SSO in SuperOps.
Step 1: Enable SSO Configuration
Go to Settings and open Policy Management.
Click the MDM tab and select your Mac Workstation Policy.
In the left sidebar under MDM Configurations, click SSO Configuration and toggle it on.
Select Entra as the identity provider.
SuperOps automatically pre-fills all Extensible SSO values for Microsoft Entra ID. Company Portal is pushed automatically to enrolled Macs when the policy is saved.
Note: If you switch identity providers after SSO is already deployed (for example, from Okta to Entra), you will see the following warning: "This action resets Platform SSO on all targeted devices. Existing registrations will be invalidated — every user must sign in again with the new identity provider to restore single sign-on, FileVault unlock, and policy enforcement."
Step 2: Configure Extensible SSO
Stay on the Extensible SSO tab. The following values are pre-filled when Entra is selected and do not require editing.
Field | Value |
Authentication Flow | Redirect |
SSO Extension Bundle ID | com.microsoft.CompanyPortalMac.ssoextension |
Developer Team ID | UBF8T346G9 |
Redirection URLs |
You can add additional URLs to this field if needed.
Configure the following Extension Configuration settings:
Enable Allow browser sign-in via SSO to extend SSO to browsers and apps that do not use MSAL (Microsoft Authentication Library). Required if you want Chrome, Firefox, or other non-Microsoft apps to benefit from SSO.
Enable Skip duplicate sign-in prompts to suppress redundant Microsoft sign-in prompts in apps that already support SSO.
Enable Apply SSO automatically to all managed apps to automatically apply SSO to apps matching the App Prefix Allowlist.
Under Apps allowed to use SSO, enter the bundle ID prefixes for apps that should participate in SSO. For all Microsoft apps, enter
com.microsoft. Add additional prefixes for other Entra-connected apps in your organization.
Note: Microsoft apps built with MSAL authenticate automatically. For all other apps (including browsers), add their bundle ID prefix here and enable Allow browser sign-in via SSO.
Step 3: Configure Platform SSO
Click the Platform SSO tab and toggle Platform SSO Configuration on.
Authentication method
Select the method that determines how the Mac authenticates with Entra at login, FileVault unlock, screensaver unlock, and token refresh. For guidance on which method suits your organization, refer to Microsoft's authentication method documentation.
Password: Mac password syncs with the Entra password. Same password for Mac login and all connected apps. Recommended for most organizations.
User Secure Enclave Key: Authentication uses a hardware-bound key stored in the Mac's Secure Enclave chip. More secure and phishing-resistant. The Mac password and Entra password remain separate, but users still sign in with one password at the Mac login window. Entra authentication happens silently in the background.
Smart Card: For organizations using physical smart cards for authentication.
Existing user permission level
Set the macOS permission level for existing Entra-linked accounts. This is re-evaluated at every login, so privilege changes in Entra (such as promoting a user from Standard to Admin) take effect at the next sign-in without any manual change on the device. Standard is recommended.
Login
Controls authentication behavior at the macOS login window.
Attempt Authentication: The Mac tries to contact Entra at login. If Entra is unreachable, the user can sign in with their cached local password. Recommended for most organizations.
Require Authentication: Entra must be contacted at every login. If Entra is unreachable and no grace period is configured, the user is blocked at the login window. Use with caution.
Under Require Authentication:
Allow Offline Grace Period: Allows sign-in with the cached local password when offline, up to the configured number of hours since the last successful Entra authentication.
Authentication Grace Period: Gives unregistered users a buffer window to complete Platform SSO registration while still signing in with their local password.
FileVault
Controls whether Entra authentication is required to decrypt the disk at power-on. Offers the same options as Login: Attempt Authentication and Require Authentication, with the same grace period settings.
With FileVault connected to Entra, if a user's account is disabled in Entra, the Mac disk cannot be decrypted even if someone knows the local password. This is critical for offboarding.
Remaining settings
Setting | Recommended value | Notes |
Use shared device keys | Enabled | Registers the device with Entra immediately when the profile is installed, before any user logs in. Required for the Mac to appear in Entra as "Microsoft Entra joined." Apple recommends enabling this for all deployments. |
Create users at login window | Enabled (optional) | Creates a new local macOS account automatically when a user signs in with their Entra credentials for the first time. No IT intervention required. |
New user permission level | Standard | Permission level for accounts created at the login window. |
Authorization via IdP | Enabled | Allows users to approve macOS authorization prompts (sudo commands, System Settings changes, package installs) using their Entra password. |
Display name | Your organization's name | Shown at the login window and during Platform SSO registration. Example: "Work Account" or "Company Login." |
Device Attestation | Disabled by default | When enabled, includes the device UDID and serial number in Platform SSO attestation requests. Required for Conditional Access policies that restrict access to registered corporate devices. |
Sync profile picture from IdP | Enabled (optional) | Displays the user's Entra profile picture at the login window. Silently falls back to the default avatar if not supported. |
Require full login after | Set per org policy | How often a full Entra re-authentication is required instead of using cached SSO tokens. Minimum 1 hour (Apple-enforced). |
Excluded local accounts | Add your IT admin account | Accounts excluded from all Platform SSO policies. These accounts always use their local password. Always exclude the local admin account to ensure IT access if Entra is unreachable. |
Step 4: Save and deploy
Click Save. SuperOps pushes the Extensible SSO and Platform SSO profiles to all Macs under this policy. Company Portal is pushed automatically.
User registration experience
After the profiles are deployed, users complete a one-time registration to activate Platform SSO on their device.
A notification appears: "Registration Required. Use your identity provider password to your Mac."
The user clicks Register.
A screen confirms three things that will happen: Device Registration, Password Synchronisation, and Data Access.
The user clicks Continue and enters their current local Mac password to authorize the sync.
The Microsoft Entra sign-in page appears. The user signs in with their Entra credentials. If MFA is configured in your Entra tenant, the user will be prompted to complete MFA at this step.
Registration completes. A notification confirms: "Your password has been synchronised with your Microsoft Account."
From this point, the user's Mac password is their Entra password. Every connected app signs them in automatically.
Verifying the configuration
On the Mac: Go to System Settings > Users and Groups and click the user account. Under Platform Single Sign-on, confirm:
Registration shows Registered (green dot)
Tokens shows SSO tokens present (green dot)
In Microsoft Azure: Go to Entra ID > Devices. The Mac appears as "Microsoft Entra joined" with the user's name, email, OS version, and registration date.