Forum Discussion
Platform SSO for macOS not working
(Update after long troubleshooting: the two main issues until now were:
Leading and/or trailing spaces in the configs > They lead to visible and unvisible errors!
When using in europe you need to re...
Hello, you can still try log off and on from the Mac or restarting the Mac. At least that's how it works in my case. The popup is not triggered for me directly after registration either.
No luck. I still do not get the specific popup and it seems like it is registered fine. But there is only the one local account and the pw for that is not synced with Entra.
First of all, thanks to PatrickF11 for the URL solution.
Hello good
After a week of dealing with the password synchronization issue on the local MacOS account, I found the solution to have the Mac sync the ID password. I modified the following parameter:
Authentication Method: UserSecureEnclaveKey to Password
After changing the option on the Mac, I went to:
Users & Groups > Network Account Server and clicked on Repair to re-register the device. Then, the notification appeared, and I registered the password synchronization. Now, it is synchronized correctly.- Thanks for your posting. But we need to make clear that there is a huge difference in using "Password" or "Secure Enclave Mode".
In my understanding:
Password is only a thing to make the user experience a little better by keeping the entra id and the local password in sync, so the user only need to remember one password.
Secure Enclave instead is a feature like Windows Hello for Business, so some kind of passwordless authentication which is respected by entra mfa.
Are there any other thoughts regarding my estimation?Hi PatrickF11 you are absolutely right.
Secure Enclave is considered the most secure, advanced passwordless authentication method that MS offered for Mac. However, I don't use it.
Secure Enclave will leave you with a local password. Unlike WHfB, when users forget the PIN, they can still log in using Entra password as a backup, if users forget the local password for Secure Enclave, they cannot log in. It's not like a password admin could help users to reset via Entra or ABM.
I don't know how you can work around this issue. If you do, please let me know coz I do like to use Secure Enclave.
On the other hand, "Password" authentication syncs the local password with Entra so you don't have this issue. It's no better than the old school NoMAD setup, but the process is definitely simpler and seamless with MS.
- I just did the same thing yesterday based on this write I found: https://hmaslowski.com/home/f/platform-sso-for-macos-with-microsoft-intune-and-entra-id
I properly got the registration popup and after authenticating the message that my password was updated to match the Entra ID one.
One thing that is still unclear to me. I thought that doing this would create a new user profile utilizing the Entra ID rather than syncing the user profile created during automated enrollment.
The concern I have is the created profile is an admin user rather than standard user. Are my expectations wrong about a 2nd user account being created?
Is my only option to change the created user from admin to standard manually when I add an admin account for myself?- I also fell for this mistake at the beginning.
The first account created on the Mac is ALWAYS an admin account. If the user should only have standard rights, then you must “downgrade” them after the setup: https://github.com/microsoft/shell-intune-samples/blob/master/macOS/Config/Manage%20Accounts/downgradeUsertoStandard.sh
But don't forget you should still have an admin account on the computer for possible remote support.
I am currently trying to configure this myself.
