MSEndpointMgr
Home » Microsoft Endpoint Manager » Intune » Enable Microsoft Enterprise SSO plug-in for Apple Devices through Intune

Enable Microsoft Enterprise SSO plug-in for Apple Devices through Intune

Microsoft Enterprise Single Sign-On, also known purely as SSO, has up until now, been limited on Apple iOS/macOS devices. But with the new (public preview) SSO plug-in for the Microsoft Authenticator App, this all changes.

The Microsoft Enterprise SSO plug-in for Apple devices provides single sign-on (SSO) for Azure Active Directory (Azure AD) accounts across all applications that support Apple’s Enterprise Single Sign-On feature.

-Microsoft Docs

This blog post will explain how to enable the feature through Microsoft Endpoint Manager Intune, making it a breeze to implement.

UPDATE: This now works in preview for macOS; target macOS instead of iOS/iPadOS.

UPDATE: If your Teams client starts acting strange, try removing your device from being targeted by this policy and reboot the phone.

Overview

The Enterprise SSO plug-in bundled with the Microsoft Authenticator App has a few requirements that must be taken into account.

  • iOS 13 is the minimum OS version supported.
  • The latest version of the Microsoft Authenticator app with your identity configured.
  • The device must be enrolled with Intune or another MDM.
  • The SSO feature must be enabled through a device feature policy pushed from the organization that the device is enrolled in.

How to enable the SSO extension

To enable the plug-in using Microsoft Endpoint Manager Intune, you will go to the MEM portal at https://endpoint.microsoft.com.

Suppose you want to target the macOS platform instead. You can replace the mentions of iOS with macOS throughout the steps below, and some of the data you need to enter is different, but you can get instructions on that from this link:
https://docs.microsoft.com/en-us/mem/intune/configuration/macos-device-features-settings#single-sign-on-app-extension

Step 1: Creating a device feature profile

  1. Click on “Devices
  2. Click on “iOS/iPadOS
How to get to the iOS device list in Microsoft Endpoint Manager Intune
  1. Click on “Configuration profiles.”
  2. Click on “+ Create profile.”
  3. Select the Platform “iOS/iPadOS.”
  4. Select the Profile “Device features.”
  5. Click on “Create
How to create a new device features profile
  1. Fill out the “Name” field.
    My example uses: Enable Microsoft Enterprise SSO plug-in for Apple iOS.
  2. (Optionally) fill out the “Description” field.
    My example uses: Configured according to Michael Mardahl’s blog post (and then the link to this article.)
  3. Click on “Next
Configuring a device features profile with Microsoft Endpoint Manager Intune

Step 2: Configuring the SSO App extension feature

Please pay special attention to the fact that we are configuring the “Single sign-on app extension” and not the “Single Sign On” feature.

  1. Expand the “Single sign-on app extension” accordion item.
  2. Select the SSO app extension type “Redirect.”
  3. Fill out the Extension ID field with “com.microsoft.azureauthenticator.ssoextension
  4. Add the Microsoft SSO URL’s to the “URLs” list. You might only need some of the URL’s if you are not in a special tenant, but you can add them all if you like.

    https://login.microsoftonline.com
    https://login.microsoft.com
    https://sts.windows.net
    https://login.partner.microsoftonline.cn
    https://login.chinacloudapi.cn
    https://login.microsoftonline.de
    https://login.microsoftonline.us
    https://login.usgovcloudapi.net
    https://login-us.microsoftonline.com

  5. Add the Key “browser_sso_interaction_enabled” as Type “Integer” with a value of “1” in the Additional configuration area to enable the plug-in for all webpages.
  6. Add the Key “disable_explicit_app_prompt” as Type “Integer” with a value of “1” in the Additional configuration area to suppress credential prompts in some apps.

    NB: Copy-pasting might not make the Intune validator happy, so if it complains, type a letter after the text you pasted and delete it again.
Configuring the “Single sign-on app extension” for apple device features in Microsoft Endpoint Manager Intune

Step 3 Assign the policy to your pilot users group

  1. Select whom to assign this profile to. If you select anything other than “Selected groups“, you can skip to the next section.
  2. Click on “+ Select groups to include“.
  3. Search for and select the groups you wish to assign the profile to.
  4. Verify that the groups you selected are in the “Selected items” area.
  5. Click on “Select“.
  6. Click on “Next“.
Assigning a profile to selected groups using MEM Intune
  1. Review the Summary section, to confirm every detail that you just entered is there.
  2. Click on “Create
Reviewing profile setting in Microsoft Endpoint Manager Intune

You have completed all the required steps to enable Microsoft Enterprise SSO plug-in for Apple Devices through Intune!

Now, you will either have to wait for your device to do a policy refresh or use one of the many options to force a sync, which is not the subject of this blog post.

Testing the Single Sign-On experience

Testing this should be simple, right? So in this example, you will use the good old Office 365 portal: http://portal.office.com in Safari for iOS to test if you got Single Sing-On to work.

But before you rush off to test, please make sure that you don’t have any cached credentials, because that would just defeat the purpose! This guide from Apple support should get you sorted out.

So, now if you have confirmed that your device has received the configuration profile and the cache in Safari is cleared. You should see the following type of SSO login prompt when accessing the Office 365 Portal.

SSO login experience using Microsoft Enterprise plug-in for Authenticator app on Apple iOS

I just love the “Connected to Windows” text.

Read more

For in-depth reading on the subject of the Microsoft Enterprise SSO plug-in for Apple iOS and macOS, I suggest the following Docs:

As always I am open to questions and suggestions through the comments, but more actively on Linkedin or Twitter (@michael_mardahl).

Thank you for reading!

(4345)

Michael Mardahl

Michael works as a Microsoft Certified Cloud Architect with APENTO in Denmark. He is specializing in customer journeys from classic Infrastructure to Cloud consumption with a strong focus on security. And is now in the IT industry for more than 20 years and has experience from a broad range of IT projects. When not at work, Michael enjoys the value of spending time with family and friends and BLOG's passionately about Microsoft cloud technology whenever he has time to spare.

14 comments

  • What should be the domain for the plist file for configuring “browser_sso_interaction_enabled” & “disable_explicit_app_prompt” keys while configuring Azure SSO App extension for macOS?

    • Good question, but I have not had time to dive into this extensively. Maybe someone will see your comment and answer?

  • I’ve done this and it works flawlessly with all the Microsoft products, Teams, Edge and so on. but how do I get this to work with the google apps since our school uses both MS and Google, its not auto logging in to google even though the username and passwords are the same because of google sync.

    • I doubt it will work because google will not accept the tokens from Azure AD unless there is some sort of federation?
      As I am not a user of Googles services, I cant test this.

    • I don’t think it is a question of which is best.
      The documentation on using this for iOS instructs us to use the redirect type.
      On the macOS instructions, they are using the Azure AD type. So I am just guessing that it depends on the environment it’s being used in.
      If you experiment with this, please let us know the outcome in the comments so that everyone can learn from your findings 🙂

  • It’s absurd that any of the steps past #2 are necessary at all. This data should auto-populate after steps 1 & 2. Why does Microsoft insist on making everything so difficult?

    • Hi James,
      I agree that there should be a default for setting this. And an advanced mode.
      But let’s not get ahead of ourselves – the fact is that this can be used for many things, not just the obvious login to M365 stuff.

    • Yes and no on that. Microsoft should have a dropdown to populate the data in Intune for Azure SSO, they know that and could easily manage it, but Azure is not the only SSO provider out there and we need to be able to populate this with whatever SSO we are using.

  • Michael good article. If you clear out cached logins where does it pull the initial login to pass through SSO? Is it from Outlook for iOS or the Intune app login?

    • Hi Jeremy,
      The credentials are pulled as a token from the Authenticator App, so the initial login, as you say, is done when you configure the authenticator or enroll the device into MDM.
      Modern authentication SSO is all about tokens, so no regular username/password combination is ever sent using this method.

Sponsors

Subscribe

Do you want to be notified of new posts on our site?

Please enter your email address below:

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.