By clicking ‘Accept’, you agree to the storing of cookies on your device for an enhanced experience as well as analytical and commercial purposes. To learn more about how we use cookies, please see our privacy policy.
Allow
Deny
  • Sign up / Login
My Cart

Buy the NEW iMac M4, the NEW Mac mini M4 or the NEW MacBook Pro M4 now!

Account

A Guide to Platform Single Sign-On

Apple’s modern replacement for Active Directory binding


What is it?

Apple’s modern replacement for Active Directory (AD) binding, designed for organisations of all sizes that use a cloud-based identity provider (IdP) such as Microsoft Entra ID or Okta. It can be thought of as similar to existing third-party solutions like Jamf Connect. This article focuses on Entra ID integration, and at the time of writing (January, 2025), support for Platform SSO is currently in public preview but already usable in production environments with considered planning.


What does it do?

Platform SSO emulates the familiar login experience used by AD-bound Macs and Entra-joined PCs, where users enter their work or school account username and password at the standard login window and have a local account provisioned for them automatically. The process of logging in also creates a token that macOS leverages for SSO to associated apps and websites for the remainder of the user’s session on the Mac. This is an improvement over the previous SSO implementation, which required a second authentication prompt once the user had reached the Desktop for the first time.

Depending on the configuration, Platform SSO can either keep the user’s local Mac account password in sync with their IdP account password so they match, or leave the local account password unchanged and instead simply provide password-less SSO, with the Mac storing an Entra passkey to use for authentication. The latter option is particularly exciting, as it paves the way for Macs using a phishing-resistant authentication strength via a secure, zero-password setup when combined with a Temporary Access Pass issued by Entra during a user’s onboarding process with the organisation. This is how many organisations operate their PC fleet using Windows Hello for Business, and now Mac can work in the same way.

Like Jamf Connect, Platform SSO can also grant the local Mac account either Admin or Standard privileges based on the user’s group membership within the IdP. This isn’t live at the time of writing when used with Microsoft Entra, but it is firmly on the roadmap. Accounts in an Admin group within the IdP can approve macOS Administrator authorisation prompts for Standard users, even without having a local account on the Mac!


What are the differences between Platform SSO and Jamf Connect?

There are some differences that may make either solution more suitable for your environment:

  • If using Platform SSO with its password sync option, Microsoft 365 account password changes made elsewhere are reflected instantly at the login window. With Jamf Connect, the old password is still required to initially gain access and run the password sync once the user is at the Desktop.
  • With the password sync option, the local Mac account’s password cannot be changed on the Mac in System Settings. The password must instead be changed via the IdP’s password change workflow, like an Entra-joined PC.
  • The native macOS login window cannot be customised as extensively as the Jamf Connect one, so organisations that value deep branding customisation will have one fewer option. Jamf Connect can enforce MFA policies right at the login window, as it uses a traditional web view window for the IdP account login. Platform SSO works differently and, in password sync mode, enforces MFA policies after the user logs in and tries to access a Microsoft 365 service (such as Teams or OneDrive), whether via their respective apps or a web browser.
  • Temporary Admin privilege escalation is not currently possible using Platform SSO and would require a third-party script to achieve. Jamf Connect can do this natively via its Menu Bar app, with a countdown in the UI to show the user how much time they have left as an Admin before being automatically demoted to a Standard account.
  • Platform SSO cannot support a zero-touch setup from the end-user perspective, as it requires an Admin to complete its registration after the first regular log-in to the Mac has completed, which makes it harder to implement compared to Jamf Connect in organisations where remote employees are not created as Admins on the Mac.
  • Jamf Connect does not allow the Mac to be granted an Entra passkey, so it cannot support compliance with phishing-resistant MFA Conditional Access policies that the organisation may have in place.
  • As a native solution, Platform SSO does not require licensing nor manual updates to an installed app like Jamf Connect does, so it’s easier to deploy and manage.
  • Jamf Connect currently supports a greater number of IdP integrations than Platform SSO, such as Google Cloud Identity and PingFederate.

Is it free? How easy is it to configure?

Built-in with macOS Ventura and later, Platform SSO is free to use and is easily configured with just one configuration profile from a compatible MDM. The only app requirement is the IdP’s SSO extension, which for Entra ID is currently the Company Portal app. The user doesn’t need to interact with the Company Portal app, it simply needs to be present, as it contains the required extension to enable the SSO functionality.

Jamf Connect requires a per-Mac licence to operate, though it is a nominal fee, as well as a Mac app to be installed alongside configuration profiles for both its login window and Menu Bar app.


So, which is best?

As with most things in IT, the best solution for you will vary depending on your wider organisational goals, device enrollment workflows (especially for remote users), and IT security policies. Both are great solutions and will likely coexist for many years to come.

As an example, those wanting a truly hands-off setup experience for their remote users, with corporate branding and MFA at the login window, will likely find Jamf Connect a better fit. However, an organisation that is ready to embrace password-less SSO and has users who are familiar with Windows Hello for Business will probably want to look more closely at Platform SSO, at least initially.

If you’d like to discuss which solution would be best suited for your specific needs, our technical experts are on hand to help. Simply email info@krcs.co.uk for more information.


Written and published January, 2025