About Okta Platform Single Sign-on for macOS
Introduced in macOS 26 Simplified Setup is a new method to require Platform SSO registration during the Setup Assistant during Automated Device Enrollment, which can also be used to create the first local user account on macOS.
Users must register with their identity provider before proceeding with device setup, which can create the first user account based off of the user’s identity.
Useful for:
1:1 computer deployments
Enabling user-level MDM management for the identity-based user from Setup Assistant
Immediate… zero-touch provisioning and compliance enforcement Placeholder
Instructions
Create and configure the platform single sign-on app in Okta
Sign in to your Okta org as a super admin.
Go to Applications > Applications > Catalog and Browse App Catalog. Search for
Platform Single Sign-on for macOS.Click Add Integration.
Note: this application will only function with ODA licensing.
Open Platform Single Sign-on from your Applications list.
On the General tab, you can edit the app label or use the default label.
On the Sign on tab, make note of the Client ID. You need this when creating the managed app configuration in your MDM.
To use Desktop Password Sync, users must have the Platform Single Sign-on app assigned. Assign the app to individual users or groups on the Assignments tab.
In Directory > Profile Editor in the Okta tenant, find the Platform Single Sign-On for macOS user.
Add two new attributes:
macOSAccountFullNamemacOSAccountUsername
There should now be two custom attributes for the PSSO app to use.
Back in the Platform Single Sign-On for macOS application in Okta, go to the Authentication tab and click the Configure profile mapping link.
Select the Okta User to Platform Single Sign-On for macOS tab (the second one generally, the text gets cut off). You’ll see the new custom attributes there.
Configure the settings for whatever works best for your organization.
Use the Preview button at the bottom to confirm that the attributes pull in as expected.
Save Mappings.
Creating the PSSO profile for deployment in Jamf Pro
Navigate to Computers > Configuration Profiles and create a new profile for deployment.
Set a Name, Description, and Category. Deploy at the Computer Level, and set distribution to Install automatically.
Find the Single Sign-On Extensions payload and click Add.
Payload type: SSO
Extension Identifier:
com.okta.mobile.auth-service-extensionTeam Identifier:
B7F62B65BNSign-on Type:
RedirectURLs (more than one is specified here, use the Add button to generate a second field for entry)
Continue configuration in the Setting area of the Single Sign-On Extensions payload (these values may change on organizational preference, here are the settings we used for testing):
https://<org-tenant>.okta.com/device-access/api/v1/noncehttps://<org-tenant>.okta.com/oauth2/v1/token
Continue configuration in the Setting area of the Single Sign-On Extensions payload (these values may change on organizational preference):
Use Platform SSO:
IncludeAuthentication method:
Password
FileVault Policy (Apple silicon):
Attempt&IncludeUser login policy:
Attempt&IncludeScreensaver unlock policy:
Attempt&IncludeEnable registration during setup:
Enable&IncludeCreate first user during Setup:
Enable&IncludeNew user creation authentication method:
Password&Include
Use Shared Device Keys:
Enable&IncludeAccount Display Name:
Include(Jamf IT)
Now add three payloads under Application & Custom Settings > Upload.
com.okta.mobile.auth-service-extensionProperty list example:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>OktaVerify.EnrollmentOptions</key> <string>SilentEnrollmentEnabled</string> <key>OktaVerify.OrgUrl</key> <string>https://org-tenant-url.okta.com</string> <key>OktaVerify.UserPrincipalName</key> <string>$USERNAME</string> <key>OktaVerify.PasswordSyncClientID</key> <string>replace-with-PSSO-app-client-id</string> <key>PlatformSSO.ProtocolVersion</key> <string>2.0</string> </dict> </plist>
com.okta.mobileProperty List Example:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>OktaVerify.EnrollmentOptions</key> <string>SilentEnrollmentEnabled</string> <key>OktaVerify.OrgUrl</key> <string>https://org-tenant-url.okta.com</string> <key>OktaVerify.UserPrincipalName</key> <string>$USERNAME</string> </dict> </plist>
com.apple.preference.securityProperty List Example
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>dontAllowPasswordResetUI</key> <true/> </dict> </plist>
Add Okta as a CA with dynamic SCEP challenge for macOS
Back in the Okta tenant’s admin portal navigate to Security > Device Integrations. Select Device Access, then Add SCEP Configuration.
Select Dynamic SCEP URL, then Generate.
Note the SCEP URL, Challenge URL, Username, and Password. Those will be needed to make the deployable configuration in Jamf Pro in the next section.
Click Save.
Create the SCEP configuration in Jamf Pro
In a Jamf Pro tenant, navigate to Computers > Configuration Profiles.
Create a new Configuration Profile. Set a Name (required), Description (optional), Category (optional), deploy at the Computer Level, and set the Distribution Method to
Install automatically.Go to the SCEP payload and Configure.
Configure as follows:
URL: the SCEP URL provided while configuring the dynamic SCEP challenge in the Okta tenant
Name: enter a name
Redistribute Profile: set a value, for this example we’ll use 13 days
Subject: add a subject name template
Note: the Okta guide notes that this field has a character limit and has suggestions for shorter names to ensure the profile can be effectively redistributed without causing issues
adding
$PROFILE_IDENTIFIERto the end of the Subject Name will prevent Jamf Pro from automatically appending it and addresses the redistribution challenges some customers faceThe Subject Name that has worked thus far in testing:
CN=$SERIALNUMBER ODA $PROFILE_IDENTIFIER
Challenge Type:
Dynamic-Microsoft CAURL to SCEP Admin: Enter the Challenge URL provided while configuring the dynamic SCEP challenge in the Okta tenant
Username: Enter the Username provided while configuring the dynamic SCEP challenge in the Okta tenant
Password: Enter the password provided while configuring the dynamic SCEP challenge in the Okta tenant
Verify Password: re-enter the password
Retries & Retry Delay can be left at
0.Certificate Expiration Notification Threshold can stay at
14days.Key size:
2048Check Use as digital signature.
Uncheck Allow export from keychain.
Check Allow all apps access.
Click Save (at this stage leave the scope empty; scope will be added later depending on deployment and PreStage configuration).
Create a PreStage Enrollment for PSSO in Jamf Pro
In Jamf Pro navigate to Computers > PreStage Enrollments.
Create a new PreStage Enrollment (in my test scenario I am cloning a previous deployment). Set organizationally-preferred options in the General section.
Under Enrollment Requirements organizational requirements may vary. For PSSO during Setup Assistant check the
Enable Simplified Setup for Platform Single Sign-on (macOS 26 or later)option to enable.Change the
Minimum required macOS versionto 26.0.The application bundle ID for Okta Verify on macOS is
com.okta.mobile. Admins can get a distributable pkg format version of Okta Verify from their Okta tenant.
Under Configuration Profiles ensure that the PSSO profile and SCEP profile are included.
In Enrollment Packages include a build of Okta Verify with Setup Manager support (at the time of this writing there is not a generally available version of Verify with this support).
Adjust any other settings as desired for the PreStage and click Save. (There may not be a scope at this point; computers can be added to scope later by removing them from another PreStage for testing purposes).
Making a limited testing scope
This is one approach for scoping for limited testing.
Navigate to Computers > Smart Groups and create a new smart group.
Give it a Name (required) and Description (optional).
For Criteria, select Show Advanced Criteria and select
Enrollment Method: PreStage enrollment. Add the name of the test PreStage to the Value field and click Save.Add the new smart group as the scope for the PSSO configuration and SCEP configuration created
Add test computers to the scope of the PreStage created above.
Add the new smart group to the exclusion scope for any settings that may conflict with the testing PSSO configuration (e.g., Jamf Connect Login, previous Okta SCEP deployments).
Add the new smart group to the exclusion scope for any policy deployments that may conflict with the testing PSSO configuration (e.g., Okta Verify deployments, Jamf Connect component installations).
Troubleshooting + Tips
Okta Verify logs in Setup Assistant
Open Terminal by pressing command+option+control+t
Logs located at ~/Library/Group Containers/B7F62B65BN.group.okta.macverify.shared/Logs
Check on-device status of PSSO
Run app-sso platform -s in Terminal.app
Advanced troubleshooting
Turn on debug mode:
sudo log config --mode "level:debug,persist:debug" --subsystem "com.apple.AppSSO"Reproduce the issue if possible.
Capture a sysdiagnose:
sudo sysdiagnoseTurn off debug when finished:
sudo log config --reset --subsystem "com.apple.AppSSO"
Unable to Sign-In
The single sign-on extension could not validate the domain. Contact your administrator to help get single sign-on set up.From our testing, this message means the Associated Domains payload isn’t being recognized. In the PSSO configuration profile remove the entire Associated Domains payload and re-add it, then redeploy the profile. Click Try Again and the process should continue on as expected.
Demo Video
Resources
Configure Desktop Password Sync for macOS 26