What is SSO?
SuperOps SSO Configuration connects your managed Mac fleet to Okta so users sign in once with their work credentials and are automatically authenticated across every connected app and service. It combines two capabilities: Extensible SSO, which handles app authentication after login, and Platform SSO, which syncs the Mac login window with Okta so users sign into their Mac with their Okta password.
For a full overview of how Platform SSO and Extensible SSO work together, refer to Apple's Platform SSO documentation.
Okta SSO configuration requires setup steps in the Okta Admin Console before you configure anything in SuperOps. Complete the Okta prerequisites below before proceeding.
Before you begin
An active Okta Identity Engine org with users already configured
Macs enrolled in SuperOps MDM and supervised via Apple Business Manager
macOS 14 or later on managed devices
Okta Verify authenticator set up in your Okta org
Part 1: Okta prerequisites
Complete these three steps in your Okta Admin Console before configuring SuperOps.
Step 1: Create a SCEP configuration in Okta
Okta requires a SCEP (Simple Certificate Enrollment Protocol) certificate to verify device identity during Platform SSO registration. You will need the SCEP server URL and secret key for the SuperOps configuration.
Log in to your Okta Admin Console.
In the left navigation, go to Security > Device Integrations.
Select the Device Access tab.
Click Add SCEP configuration.
Select Static SCEP URL.
Click Generate.
Copy the SCEP URL and save it. You will need this in SuperOps.
Copy the Secret key and save it immediately. This is the only time it is visible in full. It is stored as a hash after this point.
Click Save.
Note: The SCEP certificate does not auto-renew. You will need to re-push the configuration to devices before it expires.
Step 2: Create the Platform SSO app integration in Okta
This creates the application that Okta uses to manage Platform SSO on your devices and generates the Client ID you will need in SuperOps.
In the Okta Admin Console, go to Applications > App Catalog.
Search for Platform Single Sign-On for macOS and select it.
Click Add Integration.
On the Sign On tab, copy the Client ID. You will need this in SuperOps.
On the Assignments tab, assign the app to the users or groups that should have access to Platform SSO.
Click Save.
Step 3: Get the Okta Verify package download URL
Okta Verify must be deployed as a package directly from Okta, not from the App Store.
In the Okta Admin Console, go to Applications.
Find Okta Verify in your app list.
Copy the direct download URL for the Okta Verify macOS package. The URL follows this format:
https://yourcompany.okta.com/artifacts/OKTA_VERIFY_MACOS/version/packageName.pkg
You will enter this URL in SuperOps so it can push Okta Verify automatically to enrolled Macs.
Part 2: Configure SSO in SuperOps
Step 1: Enable SSO Configuration
Go to Settings and open Policy Management.
Click the MDM tab and select your Mac Workstation Policy.
In the left sidebar under MDM Configurations, click SSO Configuration and toggle it on.
Select Okta as the identity provider.
Note: If you switch identity providers after SSO is already deployed (for example, from Entra to Okta), you will see the following warning: "This action resets Platform SSO on all targeted devices. Existing registrations will be invalidated — every user must sign in again with the new identity provider to restore single sign-on, FileVault unlock, and policy enforcement."
Step 2: Configure Extensible SSO
Stay on the Extensible SSO tab. The following values are pre-filled when Okta is selected and do not require editing.
Field | Value |
Authentication Flow | Redirect |
SSO Extension Bundle ID | com.okta.mobile.auth-service-extension |
Developer Team ID | B7F62B65BN |
Redirection URLs
Unlike Entra, the Okta redirection URLs are not pre-filled. You must enter your organization's specific Okta domain URLs. Replace <idpDomain> with your Okta domain (for example, acme.okta.com):
You can add additional URLs if needed.
Additional Configurations
These four fields are required and specific to Okta. None of them exist in the Entra configuration.
Field | Where to find it | Example |
Okta Domain | Your Okta subdomain | acme.okta.com |
Organisation URL | Your full Okta org URL | |
Password Sync Client ID | Sign On tab of the Platform SSO app in Okta Admin Console (Step 2 above) | 0oa1b2c3d4e5f6g7h8 |
Okta Verify Package Download URL | Okta Admin Console > Applications > Okta Verify |
Configure the following Extension Configuration settings:
Enable Allow browser sign-in via SSO to extend SSO to browsers and apps that do not natively call the Okta SSO extension.
Enable Skip duplicate sign-in prompts to suppress redundant Okta sign-in prompts in apps that already support SSO.
Enable Apply SSO automatically to all managed apps to automatically apply SSO to apps matching the App Prefix Allowlist.
Under Apps allowed to use SSO, enter the bundle ID prefixes for apps that should participate in SSO. For all Okta-connected apps on the device, add the relevant bundle ID prefixes. For example, enter
com.microsoftto include all Microsoft apps connected to Okta, orus.zoom.xosfor Zoom.
Step 3: Configure Platform SSO
Click the Platform SSO tab and toggle Platform SSO Configuration on.
Authentication method
Okta currently supports Password mode for Platform SSO. Select Password.
Password: The user's Mac password is synced with their Okta password. Same password for Mac login and all connected apps. When the Okta password changes, the Mac password updates automatically.
Existing user permission level
Set the macOS permission level for existing Okta-linked accounts. Re-evaluated at every login so privilege changes in Okta take effect at the next sign-in without any manual change on the device. Standard is recommended.
Login
Controls authentication behavior at the macOS login window.
Attempt Authentication: The Mac tries to contact Okta at login. If Okta is unreachable, the user can sign in with their cached local password. Recommended for most organizations.
Require Authentication: Okta must be contacted at every login. If Okta is unreachable and no grace period is configured, the user is blocked at the login window. Use with caution.
Under Require Authentication:
Allow Offline Grace Period: Allows sign-in with the cached local password when offline, up to the configured number of hours since the last successful Okta authentication.
Authentication Grace Period: Gives unregistered users a buffer window to complete Platform SSO registration while still signing in with their local password.
FileVault
Controls whether Okta authentication is required to decrypt the disk at power-on. Offers the same options as Login: Attempt Authentication and Require Authentication, with the same grace period settings.
With FileVault connected to Okta, if a user's account is disabled in Okta, the Mac disk cannot be decrypted even if someone knows the local password. This is critical for offboarding.
Remaining settings
Setting | Recommended value | Notes |
Use shared device keys | Enabled | Registers the device with Okta immediately when the profile is installed, before any user logs in. Apple recommends enabling this for all deployments. |
Create users at login window | Enabled (optional) | Creates a new local macOS account automatically when a user signs in with their Okta credentials for the first time. No IT intervention required. |
New user permission level | Standard | Permission level for accounts created at the login window. |
Authorization via IdP | Enabled | Allows users to approve macOS authorization prompts (sudo commands, System Settings changes, package installs) using their Okta password. |
Register during Setup Assistant | Optional | When enabled, Platform SSO registration happens during macOS Setup Assistant, the initial setup wizard when a Mac first powers on. This eliminates the one-time registration notification entirely for new devices, enabling fully zero-touch enrollment. |
Display name | Your organization's name | Shown at the login window and during Platform SSO registration. Defaults to "Okta Account." |
Device Attestation | Disabled by default | When enabled, includes the device UDID and serial number in Platform SSO attestation requests. Required for organizations using Okta Conditional Access policies that restrict access to registered corporate devices. |
Sync profile picture from IdP | Enabled (optional) | Displays the user's Okta profile picture at the Mac login window. Silently falls back to the default avatar if not supported. |
Require full login after | Set per org policy | How often a full Okta re-authentication is required instead of using cached SSO tokens. Minimum 1 hour (Apple-enforced). |
Excluded local accounts | Add your IT admin account | Always exclude the local admin account to ensure IT access if Okta is unreachable. |
SCEP Certificate
Enter the SCEP configuration values you obtained in Part 1, Step 1.
Field | Where to find it |
SCEP server URL | Copied from Okta Admin > Security > Device Integrations > Device Access > SCEP Configuration |
SCEP challenge | The secret key copied during SCEP configuration setup |
Note: The SCEP certificate does not auto-renew. Monitor the expiry date and re-push the configuration to devices before it expires to maintain Platform SSO registration.
Step 4: Save and deploy
Click Save. SuperOps pushes the Extensible SSO, Platform SSO, and SCEP certificate profiles to all Macs under this policy. Okta Verify is pushed automatically using the package download URL you provided.
User registration experience
After the profiles are deployed, users complete a one-time registration to activate Platform SSO on their device. If Register during Setup Assistant is enabled, this registration happens automatically during macOS Setup Assistant and the steps below do not apply.
For existing devices or when Register during Setup Assistant is off:
A notification appears: "Registration Required. Use your identity provider password to your Mac."
The user clicks Register.
A screen confirms three things that will happen: Device Registration, Password Synchronisation, and Data Access.
The user clicks Continue and enters their current local Mac password to authorize the sync.
The Okta sign-in page appears. The user signs in with their Okta credentials. If MFA is configured in your Okta tenant, the user will be prompted to complete MFA at this step.
Registration completes. A notification confirms that the password has been synchronized with the Okta account.
From this point, the user's Mac password is their Okta password. Every connected app signs them in automatically.
Verifying the configuration
On the Mac: Go to System Settings > Users and Groups and click the user account. Under Platform Single Sign-on, confirm:
Registration shows Registered (green dot)
Tokens shows SSO tokens present (green dot)