Pat's Blog

Just sharing

Platform SSO Revisited: The Future of Enterprise Mac Authentication

by

panthers64
in ,

All credits for the information in this recap that I made, go to Joel Rennich, who presented this topic at MacSysAdmin 2025 in Sweden. This recap is based on his presentation during this event. Why this recap? Because it’s currently a much-discussed topic in the Macadmins space.

Platform SSO continues to evolve as Apple’s vision for unified enterprise Mac identity. At MacSysAdmin 2025, Joel Rennich provided an in-depth look at how Platform SSO has developed since its introduction and explored the significant new capabilities in macOS Tahoe. This recap covers the key announcements, technical implementations, and what organizations should expect moving forward.

Topics

The State of Platform SSO Adoption

Since its introduction two years ago, Platform SSO’s adoption has been slower than expected. Currently, only two major vendors have fully implemented Platform SSO: Microsoft Entra ID (formerly Azure AD) offers strong support with a dedicated session at MacSysAdmin, while Okta has implemented partial support marketed as “Desktop MFA.” Despite earlier demonstrations in 2022, many features remain unused by most identity providers and MDM vendors.

However, the landscape is beginning to shift with the release of macOS Tahoe, which introduces a major enhancement that addresses a long-standing administrator request.

ADEPSo: The Headline Feature

The most significant update in macOS Tahoe is the ability to register Platform SSO during Apple Device Enrollment (ADE). This means the first user on a newly enrolled Mac can now be automatically created and registered with Platform SSO during the initial setup process. Joel playfully proposed calling this “ADEPSo” (Apple Device Enrollment Platform SSO), a tongue-in-cheek name that combines ADE and PSSO, and he joked that it sounds like a pharmaceutical name while cleverly bringing back the old DEP (Device Enrollment Program) acronym.

This capability represents a fundamental improvement in the enterprise Mac enrollment experience.

How ADEPSo Works

Understanding the technical flow is essential for administrators planning to implement ADEPSo. The workflow involves four key components: Apple School or Business Manager, the Identity Provider (IdP), the MDM server, and the Mac device.

The flow proceeds as follows:

  1. The device starts up, connects to the internet, and contacts Apple Business or School Manager to fetch its configuration
  2. It retrieves a “cloud config” that includes a configuration web URL
  3. The URL responds with HTTP 403 (forbidden) instead of 401, providing:
    • A package (.pkg) to install before MDM enrollment
    • A configuration profile (.mobileconfig) applied pre-enrollment
    • Optionally, an authentication URL
  4. The Mac installs the package and configuration profile, typically the Platform SSO extension
  5. Platform SSO performs device registration, user registration, and token acquisition
  6. The device redirects via HTTP 308 with an authorization code to the MDM
  7. The MDM uses that code to deliver the actual enrollment profile, completing MDM enrollment
  8. The Mac finishes Setup Assistant, and the user’s local account is bound to the IdP identity

The critical distinction is that these pre-enrollment steps occur before the Mac is officially enrolled in MDM. This allows Platform SSO apps and configurations to exist early in the setup flow, improving both security and user experience.

Two Authentication Models

ADEPSo supports two authentication approaches, each with its own advantages and considerations.

Password Sync maintains a local macOS password equal to the IdP password. This approach is familiar to users but offers less security than newer methods.

Secure Enclave (SE) Keys uses device-bound cryptographic keys for login and token exchange, providing a more secure and recommended approach.

Important caveat: even when using SE keys, a username and password are still required at first login to create the local user account. Additionally, MFA may need to occur during the authentication URL phase, since the Platform SSO agent is not yet active.

Live Demonstrations

Joel demonstrated both authentication models using a Mac mini enrolled via ADE, providing practical insights into how these workflows function.

The password-based ADEPSo flow showed the device downloading the Platform SSO package and configuration before MDM enrollment. Users see Platform SSO setup integrated into Setup Assistant, a local user is created using credentials from the IdP, and the profile picture syncs from the IdP to automatically populate the macOS user account. An important detail: profiles marked as “non-removable” during pre-MDM setup truly cannot be changed later, providing strong configuration security.

The Secure Enclave key-based flow followed a similar initial path, but user tokens are generated via hardware-backed key attestation. This attestation includes the device serial number and UDID, both signed by Apple’s Enterprise Attestation CA. As with the password-based flow, a password is still required to create the macOS account. After Setup Assistant completes, Platform SSO finalizes the link between the local user and the IdP account using SE keys.

Security Enhancements Through Attestation

Key attestation represents a major security advancement. It proves that credentials originate from genuine Apple hardware and provides the device serial number and UDID, enabling stronger device-to-identity binding. This process operates similarly to ACME attestation but uses a different certificate chain and can function silently without requiring user interaction.

Attestation reduces the need for pre-shared registration tokens in the SSO profile and enables trust verification between the IdP and the device without requiring MDM mediation.

Additional Capabilities and Configuration

Administrators can include multiple packages in the same pre-enrollment bundle, and marking the SSO profile as “non-removable” makes it truly permanent. Alternate deployment paths include Pre-Stage or Await Configuration (as available in Jamf), which pushes Platform SSO before user login, and Post-Login setup, currently the default method that installs Platform SSO after the user is created. ADEPSo is specifically required only when the first user must be created via the IdP.

New configuration keys available in macOS 15 and later within the com.apple.extensiblesso profile include EnableRegistrationDuringSetup to show Platform SSO during Setup Assistant, EnableCreateFirstUserDuringSetup to create the user account, SynchronizeProfilePicture to sync the IdP avatar to macOS, and AllowDeviceIdentifiersInAttestation to include serial and UDID in key attestation.

Proper configuration is essential, as misconfiguration such as enabling registration without enabling user creation can lead to incomplete or broken setup flows.

Experimental and Upcoming Features

Authenticated Guest Mode enables temporary guest sessions authenticated through an IdP but cannot coexist with ADEPSo, as both conflict during account creation. Users can trigger it using “Other…” or keyboard shortcuts (Option or Control plus Return) at the login screen.

Tap to Login using NFC and Apple Wallet remains under development. It is based on the AeroKey PKI standard used in building access systems and requires an NFC reader and CryptoTokenKit integration. Apple Wallet support needs specific entitlements that are not broadly available. During the presentation, demo attempts were not successful, and this feature is not yet deployable.

Key Takeaways

Advantages of Platform SSO in macOS Tahoe include:

• Seamless SSO integration from first boot

• Stronger trust through hardware attestation

• Reduced password exposure

• Better user experience through automatic account creation and avatar synchronization

Ongoing challenges:

• Requires coordination between IdP, MDM, and macOS versions

• Still relies on username and password even in Secure Enclave mode

• MFA handling remains inconsistent across implementations

• Pre-MDM profiles must be carefully managed to prevent lockouts

• Vendor adoption remains limited beyond Microsoft

The Future of Mac Identity

Apple’s vision for Mac identity is firmly centered on Platform SSO. It will become increasingly difficult to manage Macs without using it. Expect continued integration with Setup Assistant and eventual movement toward passwordless authentication. Features like Tap to Login, Guest Mode, and attestation-based trust will likely mature over time.

Administrators are encouraged to begin testing ADEPSo flows even if large-scale deployment is deferred, as Platform SSO clearly forms the foundation of Apple’s future identity strategy for enterprise Mac deployments.

Watch the Full Presentation

For a deeper dive into Platform SSO and ADEPSo, watch Joel Rennich’s complete presentation from MacSysAdmin 2025:

Watch on YouTube or here below

Comments

Leave a Reply