Forum Discussion
Platform SSO for macOS not working
(Update after long troubleshooting: the two main issues until now were:
Leading and/or trailing spaces in the configs > They lead to visible and unvisible errors!
When using in europe you need to remove some URLs (detailed information in this thread))
Hi folks,
i'm working hard on implementing Platform SSO for macOS (MSlearn) (2nd Link: Join a Mac device with Microsoft Entra ID during the out of box experience with macOS PSSO (preview) for ourselves and our customers. I worked all the way through the Microsoft Learn Articles as well as 3rd Party blog posts or reddit discussions.
(MS Intune Support think they need to forward my ticket to the Azure Support. I don't get it :D)
The issue is: The Platform SSO Profile in Intune is always on error code 100001.
I tested this with different tenants, in every single one the issue is the same.
The config profile is configured as followed:
When looking at the device this is what should appear:
But this doesn't happen on the device.
What i'm also wondering about: When signin in on a mac device enrolled via ADE, after i log in to the company portal app (current version), it states that it is unable to register the device.
Is this an expected behaviour? I don't think so, isn't it?
It would be so great to come into contact with others of you having the same issue or, even better, that solved this issues. 🙂
Thank you very much in advance
Regards
Patrick
Ps.: Maybe some of the mslearn article contributors have any idea? Mandi Ohlinger, arnabbiswas ? 🙂
PatrickF11
I am running into the exact same issue where the prompt to register the device for platform SSO is not appearing.
Device is in Business Manager via the Apple Configurator app (iPhone). It has been synced to Intune just fine. All other Intune settings and apps apply fine.
When I look at the user account I see Platform Single Sign-on showing the Entra ID account and method of Secure Enclave key as per the profile settings I've used.I see registration listed with a green dot and "registered". I see under Tokens "SSO tokens present".
But nothing is happening to prompt logging in to the device using the Entra ID. My test user account can only log into the local user account (admin) created via the Automated Device Enrollment process.
I've checked the profile for any leading/trailing spaces in the Extension Identifier field and all others.
I don't know what else to do at this point.- Hello, you can still try log off and on from the Mac or restarting the Mac. At least that's how it works in my case. The popup is not triggered for me directly after registration either.
- No luck. I still do not get the specific popup and it seems like it is registered fine. But there is only the one local account and the pw for that is not synced with Entra.
having the same issue, granted its not going through apple business manager...sonoma 14.5 and fully enrolled, just no alert to finish it...company portal is now "register your mac using your work or school account", but again no alert...one part not done per the doc is the apple business manager
RussMeyer-Epik & PatrickF11
Hi Patrick & Russ,I saw your post regarding Platform SSO configuration and would like to understand in detail on the current status and what is the exact error you are receiving?
Were you able to completely test the end to end workflow of PSSO?
Were you able to sync your Azure Entra ID password to the local account you created?Background(I have implemented PSSO successfully in my organisation with the desired results of the pop-ups leading to successful password sync and registration. Hence please share me your current test case results by which I can share you the guide or necessary screenshots to resolve your issue.
Looking forward to hearing from you....Regards,
Kishoth P
Hey Kishoth_P, Platformer , RussMeyer-Epik thanks for participating in this topic. 🙂
What should i outline?
- The current configuration of mine is already screenshoted in this thread, a few posts above yours. I've attached the current settings catalog screenshot again at the end of this post.
- The company portal now gets installed correctly after removing all the app bundle ids except from the main one (Screenshot attached below)(Kudos to Platformer). Currently i don't think this has anything to do with the main issue that PSSO isn't working (But i really don't know why MS doesn't describe the issue with the bundle-IDs in their docs?! Every administrator following the ms docs should have 100% errors in deploying company portal app to macOS)
- The "registration required" PopUp (Screenshot attached below) isn't showing up to complete the process, so: No, PSSO isn't working at all. The only way of logging in to the system is with the one local account with the initial set local password.
Platformer I can recreate the error in your screenshot as you mentioned (Settings \ Passwords \ PW options \. ..). So we're both in the exact same situation. Great, isn't it? 😉
What do you mean with minimum authorization in your entra id? What i can tell regarding my environment: We're using cloud-only identities, no on-premises active directory. I don't think your're having issues with the entra id accounts. Of course you should use entra id connect for example to sync your on-prem identities to azure-ad / entra id so you're working with "one account" and not with two seperate ones for on-prem auth and cloud auth.
RussMeyer-Epik: Thanks for your information. But others than yours, mine (and i think the one from Platformer too) is configured via Apple Business Manager (Automated Device Enrollment).
But: Where are trailing spaces? Every time i copy & paste something i check twice if there are trailing or leading spaces, so i can guarantee, there are no wrong spaces in my configuration.
Current settings catalog for platform sso:
Company Portal Installation:
Missing pop-up "registration required"
Scott BreenMicrosoft
PatrickF11 what version of macOS is on the device?
- Scott BreenAlso, do you have a seperate profile that sends down SSO extension settings as well?
Hi Scott Breen, thanks for your feedback.
The test device i use is on macOS Sonoma, 14.5 (23F79).
At the first step i didn't have an sso extension profile becaue i did not find any advice to do so in the msdocs mentioned in my initial post.
After opening up a support case, which unfortunatelly wasn't successful, i was advices to create a sso extension template with this settings (applied to the device)
What MS Support told me is that Filevault needs to be in place.
- First issue: FileVault would only becomes active when the user logs in and confirms it.
- after this the support told me to create a filevault policy via settings catalog with the setting: "Force Enable In Setup Assistant". Unfortunatelly this profile isn't that effective, because the only thing that happens is that the user gets the following prompt:
After confirming this message nothing happens (no active filevault) and the message re-appears once in a while.
