At Root3, we are dedicated to continuously improving the integration of Apple technologies in businesses, with a strong focus on user experience and security. A common problem we address is the complex management of multiple passwords and the need to log into various applications multiple times a day.
Benefits of Single Sign-On
To address this concern, we have implemented Single Sign-On (SSO) technologies. These solutions enable Mac users to seamlessly access their corporate resources with a single login.
Why Single Sign-On?
SSO uses a single authentication process that provides access to multiple applications or systems without requiring users to repeatedly confirm their identity. Instead of storing user credentials and passwords and reusing them for each application, SSO works with a token provided upon initial authentication. Not only does this improve the user experience by creating the idea of a “one-time password,” but it also increases security by requiring users to remember fewer passwords. This minimizes the risk of weak or reused passwords and centralizes identity management, making it easier for organizations to consistently apply their security policies.
Platform SSO, what exactly is it?
Apple first announced Platform Single Sign-On during WWDC 2022. Before this, SSO Extensions were available. This was limited to single (web) applications and was separate from the macOS user account.
Platform SSO extends this functionality by allowing developers to build SSO Extensions that also apply to the macOS login screen and provides deep hardware security. This syncs local account credentials with an Identity Provider (IdP) such as Microsoft Entra ID or Okta, allowing users to unlock their Mac with their cloud password, even offline.
Secure Enclave and biometric authentication
Even more secure, user-friendly and phishing resistant is the Secure Enclave key implementation, which is considered passwordless and hardware-bound to the device. In a world where we want to move away from password and adopt more modern authentication methods, we believe this is the better option over a traditional password synchronization. Additionally users can authenticate with biometric authentication such as Touch ID or passkeys, far more user-friendly and secure than a regular password and MFA challenge.
New features for macOS 14 (Sonoma)
In macOS 14, Apple has added important new features to the Platform SSO framework, including the ability to view and manage SSO status in System Settings. Also, organizations using shared devices can now take advantage of Platform SSO, as local accounts are automatically created based on the IdP account. Groups from the IdP can also be used to assign user rights, such as whether someone can be an administrator or whether someone can change network and printer settings. The configuration profile from MDM then determines which permissions for which groups are applied to the account.
New features for macOS 15 (Sequoia)
Last month at WWDC24, innovations were announced coming to the Mac in late 2024. Very welcome is a functionality for organizations using Platform SSO in conjunction with FileVault disk encryption. It will now be possible to also require authentication at the Identity Provider when unlocking FileVault, where previously FileVault was always a local password. We wrote a blog about the main innovations of WWDC24. You can find this blog here.
The requirements for Platform SSO are simple; a Mac with macOS 13 or later and managed by an MDM solution such as Microsoft Intune, Jamf Pro or Kandji. However, for optimal implementation, we recommend at least macOS 14.
Supported Identity Providers.
It depends on the IdP whether Platform SSO can be deployed. Although Apple has released the Platform SSO framework, it is up to the IdP to develop on it, and that is still some time away for many providers. Fortunately, two Identity Providers currently offer support for Platform SSO:
- Microsoft Entra ID
- Okta
For other providers, it is still unknown if and when support will arrive.
How can Root3 help?
As an Apple Solutionist, Root3 is the ideal partner for implementing Single Sign-On Extensions or Platform SSO. We have the macOS and MDM expertise required to successfully integrate these technologies into your business environment. If you would like more information about Single Sign-On Extensions, Platform SSO or using macOS in business, contact us soon.