Platform SSO for MacOS

How Apple's Platform Single Sign-On is transforming Mac authentication in the enterprise

Overview

Authentication fatigue is real. IT departments spend countless hours managing password resets, while employees waste time juggling multiple credentials across corporate applications. Meanwhile, security teams battle an endless stream of phishing attempts targeting those same passwords.

Apple's Platform Single Sign-On (PSSO) for macOS represents a fundamental shift away from this broken model. Rather than treating authentication as an application-level concern, Platform SSO extends single sign-on capabilities directly into the operating system, creating a unified authentication experience that spans from the login window to every corporate application.

Throughout this document and subsequent pages there are several terms to familiarize yourself with:

IDP - Identity Provider such as Microsoft Entra ID, Okta Identity Engine, Google, Ping, etc.

PSSO / Platform SSO - Platform Single Sign-on - All interchangeable

Secure Enclave / Secure Enclave Backed Keys / SEP (Secure Enclave Processor) - All interchangeable

Simplified Setup - A new method to require Platform SSO registration during the Setup Assistant during Automated Device Enrollment, which can also be used to create the first local user account on macOS

Simplified Setup PSSO Registration during the Setup Assistant

Single Sign-On for Mac Platform SSO registration being presented on an existing computer

Relationship to SSOe

Platform SSO builds on Apple's underlying SSOe (Single Sign-On extensions) framework, which enables integration between cloud identity providers and macOS. While third-party SSOe applications can be deployed through MDM solutions, Platform SSO provides a broader, more integrated framework leveraging these same underlying technologies.

What Platform SSO Actually Does

Platform SSO transforms the managed device itself into the authenticator. The authorized organizational user accesses the device using their password or biometric credentials. Once unlocked, PSSO provides secure tokens to the IdP, enabling seamless authentication across both web and native applications managed by the identity provider. When combined with Jamf Pro's capabilities in macOS 26 to obtain device attestation directly from Apple, you could achieve a security trifecta: only a verified, trusted user operating a managed and authenticated device can access secure cloud resources.

Platform SSO goes deeper, integrating authentication at the macOS system level.

When properly deployed, users authenticate once during login and automatically gain access to:

- Corporate web applications such as Salesforce, DropBox Business, or Office 365

- macOS applications such as Outlook, Slack, and Microsoft Teams

- Cloud services and resources

The authentication happens transparently in the background, providing a seamless login experience to applications and services.

The Technical Foundation

Platform SSO integrates cloud identity into macOS. Identity providers can integrate at several point of authentication in the OS including local account password synchronization, requiring password validation against the cloud at system startup and wake events, or integrate TouchID authentication to establish best practice.

Credential Synchronization: Local Mac account credentials automatically sync with your organization's identity provider, eliminating password drift between local and cloud accounts.
Directory Services Replacement: Platform SSO can serve as a modern alternative to traditional Active Directory binding, which has become increasingly complex and unreliable in modern network environments.… especially in shared computer environments.

Identity Provider Support and Authentication Methods

Both Microsoft Entra ID and Okta support Platform SSO features as identity providers, however specific features and implementation details can differ between their solutions.

For example, the Platform SSO framework supports three authentication modes: Password, Secure Enclave-backed Key, or Smart Card. Both Microsoft Entra ID and Okta Identity Engine support password sync mode, and Microsoft’s extension can also be configured to work in one of the other modes instead. Both Microsoft Entra ID and Okta Identity Engine also support phishing-resistant authentication.

Organizations planning Platform SSO deployments must carefully verify that their chosen authentication method aligns with their identity provider's current capabilities. The authentication landscape is evolving rapidly, and what's supported today may expand significantly over the coming months.

Platform SSO supports multiple authentication approaches, each suited to different organizational needs and security requirements:

Authentication Methods
Feature	Description & Benefits	Microsoft Entra ID Support	Okta Identity Engine Support
Secure Enclave Key Authentication	Leverages Apple's Secure Enclave to store hardware-bound, non exportable authentication keys. Users authenticate using cryptographic keys that never leave the Mac's secure hardware, eliminating passwords entirely while providing enhanced protection against phishing attacks. Benefits: Hardware-backed security with Secure Enclave Eliminates passwords for IdP authentication and app sign-ins Enhanced phishing protection Cryptographic keys never leave the device Important Note: Not truly "passwordless" like Windows Hello for Business. Consumer accounts will still require passwords for initial login and FileVault authentication	Supported	Not currently supported. Okta customers can consider Fastpass features for non-phishable hardware-bound authentication
Smart Card Integration	Perfect for organizations with existing smart card infrastructure (e.g., YubiKey). Platform SSO associates smart card identities with local macOS accounts while registering public keys with cloud identity providers. Maintains compliance with existing security standards Enables modern SSO capabilities Smart cards can unlock FileVault on Apple Silicon Macs Complete hardware-backed authentication experience	Supported
Tap to Login	Introduced in macOS 26. Tap to login Extends Apple Wallet's contactless capabilities to Mac authentication. Users tap their iPhone or Apple Watch on an NFC reader to authenticate against a Mac configured for Authenticated Guest Mode, initiating secure single sign-on. All data will be deleted upon logout. Useful for: Shared computers where data retention is not required after a secure access scenario, such as Shared workspaces, hot-desking environments, conference rooms, quick secure access scenarios	Not yet supported by any identity provider
Simplified Setup	Introduced in macOS 26 Simplified Setup is a new method to require Platform SSO registration during the Setup Assistant during Automated Device Enrollment, which can also be used to create the first local user account on macOS. Users must register with their identity provider before proceeding with device setup, which can create the first user account based off of the user’s identity. Useful for: 1:1 computer deployments Enabling user-level MDM management for the identity-based user from Setup Assistant Immediate… zero-touch provisioning and compliance enforcement	Microsoft Entra ID not yet supported.	Version 9.52 of Okta Verify will support simplified setup with a planned Mid-October release
Authenticated Guest Mode	Introduced in macOS 26. Authenticated Guest Mode allows temporary users to be created after IdP authentication. These accounts enable simplified SSO extension authentication when logged in and automatically self-delete after logout, perfect for shared Mac environments. Workflow: User logs in to shared Mac using work credentials at login window macOS uses single sign-on to access apps and websites automatically Upon logout, macOS erases all local account data/ Mac is immediately ready for the next user	Automated, zero-touch Platform SSO registration is not yet supported by identity providers as a compliment to this feature

Demo video of Platform Single Sign-On with Password Sync | Okta

Demo Video of Platform Single Sign-On Secure Enclave Registration with Microsoft Entra ID

Technical Requirements ⚙️

Platform SSO requires modern hardware and software:

- Hardware: Mac with Apple silicon chip

- Software: macOS 13 or later (macOS 26 required for newest features)

- Management: MDM solution supporting Extensible Single Sign-on payloads such as Jamf Pro part of the Jamf for Mac offering.

- Identity: Compatible identity provider with Platform SSO protocol support

For Tap to Login specifically, organizations also need supported NFC readers for contactless authentication.

Managing Platform SSO After Deployment

Once deployed, Platform SSO provides several management and troubleshooting capabilities through System Settings:

User Registration Status: Navigate to System Settings > Users & Groups > [user name] to view registration status and initiate repairs if authentication issues arise.

Device Registration Status: Check device-level registration at Users & Groups > Network account server, which also provides repair options for device registration problems.

When to Use Repair Options

Authentication failures or token expiration errors
SSO not working with specific applications
After network changes or extended offline periods

Strategic Considerations

The Jamf Connect Question

If you’ve been reading this far, you may have asked yourself a number of questions:

Does implementing Platform SSO with a compatible IdP app replace the need for Jamf Connect at your organization?

If it does, what might a migration of an already-deployed user look like to move from Jamf Connect to Platform SSO look like?

Are there scenarios where both solutions can live together, providing user experience benefits to your users and your IT workflows?

While there is now a greater overlap in functionality once all devices are on macOS 26, there are still a number of differences to consider between solutions, which will inform your organization’s identity strategy for your Macs. Some of these differences are highlighted on this blog post.

It’s also important to level-set as to what exactly we’re referring to as Jamf Connect. When compared with Platform SSO, we’re referring to the user creation and password sync functions of the macOS Jamf Connect apps specifically, not the zero-trust network access functionality that Jamf Connect or Jamf for Mac licensing also offer with Jamf Security Cloud.

The original app was designed as a Login Window plugin for IdP auth and user provisioning, combined with a menu bar application that handled password synchronization and other functions.

Over time, additional features were added to it, including Offline MFA and user Privilege Elevation workflows, which are now integrated into the Self Service+ app for macOS.

The Jamf Connect application functionality on macOS will continue to work as it does today, natively supporting a number of identity providers, macOS versions, and ongoing workflows like Privilege Elevation after computers are deployed.

Jamf Connect and Platform SSO applications both both have a number of optional and customizable options, some of which could overlap and cause conflicts. When testing options for transitioning or blending functionality between Jamf Connect and Platform SSO applications, keep these things in mind:

User Creation:

Automated Device Enrollment workflows that wish to use the identity of the user to provision the first local user account should be designed to use either the Jamf Connect Login application, or a compatible Platform SSO application. Note that at this time, one cannot expect new hardware to be shipping with macOS 26 yet.

Ongoing after enrollment, if additional new user creations are desired based on a user’s cloud identity, it’s again important to choose one account provisioning method or the other.

Password Sync:

If it’s desired to sync a local user’s password with their cloud identity, choose either existing Jamf Connect (or newer Self Service+ app) or your Platform SSO application to manage password sync. Having both solutions attempt to sync the same user’s password through different methods may lead to conflicts and errors.

Organizations may consider combining Jamf Connect password sync functionality with Platform SSO configurations using the Secure Enclave-backed key mode with Microsoft Entra ID. In this mode, Jamf Connect would manage the local user’s password and other functionality, while Microsoft’s PSSO extension would handle cloud identity authentication using a hardware-backed key in the computer’s Secure Enclave.

As new computers start to ship with macOS 26 and existing identity provider apps are updated to support this new user provisioning workflow with Platform SSO, we’re excited to test alongside you and your organizations to find the right blends of functionality to use to achieve the specific outcomes you need.

Keep this page bookmarked for more information and specific workflows to consider as we go on this identity journey together!

Implementation Strategy

Organizations should approach Platform SSO implementation thoughtfully:

Start Small: Begin with specific use cases like conference rooms or shared workstations rather than company-wide rollouts. This allows IT teams to understand the technology and refine policies before broader deployment.

Verify Compatibility: Ensure your chosen authentication method works with your current identity provider. The rapid evolution of this space means capabilities are expanding quickly.

Plan for Hardware: Newer authentication methods like Tap to Login require additional hardware (NFC readers) and careful physical deployment planning.

Prepare for Change Management: While the user experience is intuitive, employees need communication and potentially training about new authentication workflows.

The Future of Mac Authentication

Platform SSO represents Apple's vision for enterprise Mac authentication: deeply integrated, security-focused, and user-friendly. The introduction of Simplified Setup and contactless authentication through Tap to Login signals Apple's commitment to bringing consumer-grade convenience to enterprise environments without sacrificing security.

As identity providers expand their Platform SSO support and organizations gain experience with deployment, these authentication methods will likely become standard practice rather than cutting-edge implementations.

For IT professionals, the question isn't whether to adopt modern authentication—it's when and how to begin the transition. Platform SSO provides a clear path forward that leverages existing infrastructure while delivering immediate benefits to both users and administrators.

The era of password-driven Mac authentication is ending. Platform SSO shows us what comes next: seamless, secure, and surprisingly simple.

JNUC Sessions to keep an eye out for!

The Jamf Nation User Conference is not a sales expo or a tradeshow. Instead, it’s a welcoming, three-day rally of community and Jamf-led presentations, deep-dive education sessions, and expert product insights to discover new and better ways to manage Apple devices with the purpose of empowering people, transforming business processes and making IT life easier.

Don't miss these standout PSSO sessions at JNUC!

Resources

Apple Platform Security - Secure Enclave

Configuring Simplified Setup for Platform SSO

Deploying macOS Platform SSO for Okta with Jamf Pro

Deploying macOS platform SSO for Microsoft Entra ID with Jamf Pro

Platform Single Sign on for macOS

---

Considering Platform SSO for your organization? Start by evaluating your current identity provider compatibility and determining which authentication methods align with your security requirements and user experience goals.