Forum Discussion

PatrickF11's avatar
PatrickF11
Steel Contributor
May 24, 2024

Platform SSO for macOS not working

(Update after long troubleshooting: the two main issues until now were: Leading and/or trailing spaces in the configs > They lead to visible and unvisible errors! When using in europe you need to re...
Intune
macos
Mobile Device Management (MDM)
Platform SSO
PSSO
Scott Breen's avatar
Scott Breen
Icon for Microsoft rankMicrosoft
May 28, 2024
Also, do you have a seperate profile that sends down SSO extension settings as well?
  • PatrickF11's avatar
    PatrickF11
    Steel Contributor
    May 29, 2024

    Hi Scott Breen, thanks for your feedback.

    The test device i use is on macOS Sonoma, 14.5 (23F79).

    At the first step i didn't have an sso extension profile becaue i did not find any advice to do so in the msdocs mentioned in my initial post.

    After opening up a support case, which unfortunatelly wasn't successful, i was advices to create a sso extension template with this settings (applied to the device)

     

    What MS Support told me is that Filevault needs to be in place.

    - First issue: FileVault would only becomes active when the user logs in and confirms it.

    - after this the support told me to create a filevault policy via settings catalog with the setting: "Force Enable In Setup Assistant". Unfortunatelly this profile isn't that effective, because the only thing that happens is that the user gets the following prompt:

    After confirming this message nothing happens (no active filevault) and the message re-appears once in a while.

    • nhtkid's avatar
      nhtkid
      Iron Contributor
      Aug 29, 2024

      Hi PatrickF11, I have gone through all these so what you experienced resonate a lot with me.

      My overall experience with Platform SSO is seamless and works great (touch wood).

      It's a night and day change.

       

      First of all, my implementation is super simple and straight forward, following the MS Doc, just one simple configuration for Platform SSO, nothing else. Regarding the URLs, I only used that top three.

       

      I don't agree with the MS support. You do not need another device feature profile to configure the SSO extension. That's the old stuff, now should be superseded by Platform SSO.

       

      Secondly, the FileVault setting is buggy!

       

      I have it forced on via the deployment profile. Most time it works. You can see it pops up during the enrollment and tell you it needs to be switched on.

       

      Occasionally, the enrollment completes in a flash and completely skip the FileVault. Then I get a prompt at home screen like you shared. 

       

      I constantly wiping my device and I could see it happen from time to time.

      This is no good for us because disk encryption is a requirement. 

      I also have a script to convert the onboarding account from Admin to Standard.

       

      Now that script alone is a hidden and miss that I could start a brand-new thread on it.

      However, if it worked, and if FileVault got skipped, then there is no way to enable it after login, because it requires privileged account.

       

      Thirdly, your CP registration prompt. My experience has been great and it always prompts. 

      However it does gets buried in a dozen of other system prompts which is super annoying.

       

      I was gonna ask you whether you know to suppress them. The only notification that is useful really, is the CP. 

       

      When it doesn't prompt you to register the device though, if you manually open CP, does it work?

       

      Cheers,

       

       

       

    • mshrm's avatar
      mshrm
      Copper Contributor
      May 30, 2024

      PatrickF11 

      I had this on a fresh setup.

      Fix was found after removing the US and CN based URLS from the PSSO configuration profile. After that, the profile successfully deployed without the error 10001.

      I shared this on reddit too and another use had the same issue and same resolve with removing those URLs.

       

      • PatrickF11's avatar
        PatrickF11
        Steel Contributor
        May 31, 2024

        mshrm 

         

        Okay i've removed four URLs and afterwards all the config was successful, BUT:

        Entra PSSO isn't showing up the pop-up mentioned in the docs:

         

        Do you have an idea? Let me outline all the configs i've made:

        1. Platform SSO policy
          1. Deployed via settings catalog to All Users
        2. Filevault Policy
          1. deployed via Endpoint protection policy instead of settings catalog, because settings catalog wasn't working as mentioned in my first posting.

          2.  

        3. Company Portal App
          1. deployed via line-of-business app to all devices

         

        So what am i missing?

        1. Whats missing for platform sso?
        2. How did you manage to activate filevault without user interaction? The endpoint protection policy asks the user for activation. In the settings catalog there is a policy which should enable filevault before the user logs in, unfortunatelly this wasn't working for me (Screenshot in 1st post).

        Thanks in advance :--)

        Patrick

Resources