Enforcing macOS Platform SSO During Automated Device Enrollment (ADE)

By Luca Arena

Enforcing macOS Platform SSO During Automated Device Enrollment (ADE)

Historically, deploying Apple's Platform Single Sign-On (PSSO) framework via Microsoft Intune resulted in a disjointed post-onboarding experience. Users had to land on the desktop, wait for MDM background sync, launch Company Portal, and manually complete the identity-to-device registration loop.

With Microsoft's native integration of Platform SSO registration directly into Setup Assistant during Automated Device Enrollment (ADE), the identity registration and device-join flow occur natively at boot.

Here is the technical architecture, prerequisite stack, and configuration policy logic required to enforce this mechanism.

The Mechanics of Setup Assistant Registration

When a device is unboxed and initiates Apple ADE, the enrollment flow behaves as follows:

  1. Bootstrap Profile Delivery: The Mac reaches out to Apple's activation servers, is handed to Intune, and pulls down the initial MDM bootstrap payload, including the PSSO Settings Catalog policy.

  2. Prioritized LOB Pushing: Intune prioritizes the background installation of the Company Portal .pkg to provide the necessary com.microsoft.CompanyPortalMac Enterprise SSO plug-in payload before the user finishes setup.

  3. The Entra ID Handshake: During Setup Assistant, the user authenticates via Modern Authentication against Microsoft Entra ID. The system triggers the PSSO pane natively, issuing a hardware-backed Entra ID device registration certificate secured within the Mac's Secure Enclave.

  4. Account Provisioning: Based on your configuration, the local account is created using password synchronization mapped directly to the cloud identity service provider (IdP)

Technical Prerequisites
To execute this integrated deployment, you must meet the following baseline requirements:

  • Target OS: macOS 14 (Sonoma) or newer.

  • Enrollment Type: Automated Device Enrollment (ADE) via Apple Business Manager (ABM) or Apple School Manager (ASM).

  • Broker App: Intune Company Portal for macOS version 5.2604.0 or newer (deployed as a required Line-of-Business app).

  • Hardware: Apple Silicon ($M1/M2/M3/M4$) or Intel-based Macs equipped with a T2 Security Chip / Touch ID.

Intune Configuration Policy Stack

Enforcing PSSO inside Setup Assistant requires a precise orchestration of three distinct policy nodes assigned to the same static deployment groups.

1. The Platform SSO Settings Catalog Policy

Modify or create a Settings Catalog configuration under Devices > Manage devices > Configuration with the following key leaf nodes:

Configuration AreaSetting NameValueTechnical Context
Authentication > Extensible Single Sign OnEnable Registration During SetupEnabledTriggers the native PSSO configuration pane explicitly inside Apple's Setup Assistant.
Authentication > Extensible Single Sign OnEnable Create First User During SetupEnabled(Required only if using Password Auth) Synchronizes the cloud password payload down to the local account daemon during provisioning.
Authentication > Extensible Single Sign OnAuthentication MethodSecure EnclaveRecommended. Binds cryptographic keys to hardware for phishing-resistant credential flow.

2. The LOB Application Payload

Deploy the Company Portal installer (.pkg) as a Line-of-Business app. Ensure you strip out any irrelevant bundle IDs from the metadata properties, keeping exclusively:

  • com.microsoft.CompanyPortalMac

⚠️ Critical: Do not deploy Company Portal via shell scripts or alternative app management frameworks for this workflow. Intune requires the native LOB deployment engine to dynamically adjust delivery priority during the Await final configuration state.

3. The ADE Enrollment Profile

Navigate to Devices > Device onboarding > Enrollment > Apple enrollment and ensure your active ADE profile implements these specific management parameters:

  • User Affinity: Enroll with User Affinity

  • Authentication Method: Setup Assistant with modern authentication

  • Await Final Configuration: Yes (This holds the device in the Setup Assistant phase until the PSSO configuration profile and Company Portal LOB app are verified on the local disk volume).

Operational Impact & Identity Trust

By enforcing PSSO during registration, you effectively satisfy Zero Trust compliance verification and Conditional Access (CA) requirements the exact second the user reaches the macOS Finder. Because the identity is tightly coupled to the hardware keybag at provisioning, subsequent authentication checks treat the native device context as managed, trusted, and fully verified.

Comments

Post a Comment

Popular posts from this blog

How to delete multiple devices at once on Intune

By Luca Arena
In Microsoft Intune, you can delete multiple devices by creating and applying a device cleanup policy or by removing devices manually using the Intune admin console. Here are two methods to delete multiple devices in Intune: Method 1: Using Device Cleanup Policy (Recommended) Create a Device Cleanup Policy : Sign in to the Microsoft 365 Device Management portal ( https://devicemanagement.microsoft.com/ ). Go to "Devices" > "Device cleanup policies." Click on "Create policy." Configure the policy settings, such as the number of days a device should be inactive before deletion and whether to notify users before deletion. You can also choose to exclude specific device groups. Save the policy. Assign the Policy : After creating the policy, assign it to the desired group of devices or users. This will determine which devices will be subject to the cleanup policy. Monitor and Verify : Over time, Intune will automatically evaluate the devices based on the poli...
Read more

Troubleshooting CrowdStrike Falcon Issues on macOS 15: What’s Going On?

By Luca Arena
# Troubleshooting CrowdStrike Falcon Issues on macOS 15: What’s Going On? Hey there, fellow Mac users! If you’ve recently upgraded to macOS 15 and are using CrowdStrike Falcon, you might have noticed some hiccups. You’re definitely not alone. Let’s dive into some of the issues folks are facing and what you can do to keep your Mac running smoothly. ## 1. Performance Slowdowns One of the biggest complaints is the dreaded slowdown. Many users have noticed that their Macs feel sluggish after installing CrowdStrike Falcon on macOS 15. Apps may take longer to launch, and system responsiveness can be hit or miss. **What to Do:**   First things first—check your Activity Monitor to see if Falcon is hogging resources. If it is, try restarting your Mac to clear things up. If the problem persists, consider reaching out to CrowdStrike support for potential configuration tweaks. ## 2. Compatibility Quirks CrowdStrike Falcon is usually pretty reliable, but with a new OS, compatibility can ge...
Read more

Office 365: Exploring the Differences Between Microsoft Office for Mac and Windows

By Luca Arena
In today's digital age, Microsoft Office remains the gold standard for productivity suites, offering a suite of powerful tools for word processing, spreadsheet management, presentations, and more. While Microsoft Office is ubiquitous across both Mac and Windows platforms, there are notable differences between the versions tailored for each operating system. Let's delve into the distinctions between Microsoft Office for Mac and Windows and explore how these variances impact user experience and functionality. User Interface: One of the most apparent disparities between Office for Mac and Office for Windows lies in their user interfaces. Microsoft has traditionally adhered to the design aesthetics and conventions of each operating system, resulting in interfaces that align with the overall look and feel of macOS and Windows, respectively. While both versions maintain the core functionality and layout of Office applications such as Word, Excel, and PowerPoint, users may notice sub...
Read more