Hi Apple Team & Community, The new Introduction of Platform SSO during ADE Enrollment is Great And we tried implementing this. As a Rule mentioned in the Documentation Initially MDM Server should send 403 response with Response Body adhering to ErrorCodePlatformSSORequired when HTTP Header for MachineInfo request contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true There are contradictory claims mentioned in Document, In Process Platform SSO Required Response it is mentioned that MDM Server should send body as JSON Object for ErrorCodePlatformSSORequired Example below >>>>> Response HTTP/1.1 403 Forbidden Content-Type: application/json Content-Length: 558 { "code": "com.apple.psso.required", "description": "MDM Server requires the user to authenticate with Identity Provider - BY MEMDM", "message": "The MDM server requires you to authenticate with your Identity Provider. Please follow the instructions provided by your organization to complete the authentication process - BY MEMDM", "details": { "Package": { "ManifestURL": "https://platform-sso-node-server.vercel.app:443/manifest" }, "ProfileURL": "https://platform-sso-node-server.vercel.app:443/profile", "AuthURL": "https://platform-sso-node-server.vercel.app:443/auth" } } But in the same Document a Sample HTTP Response was Provided but seems to be XML format as below >>>>> Response HTTP/1.1 403 Forbidden Content-Type: application/xml Content-Length: 601 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Code</key> <string>com.apple.psso.required</string> <key>Details</key> <dict> <key>ProfileURL</key> <string>https://mdmserver.example.com/psso.mobileconfig</string> <key>Package</key> <dict> <key>ManifestURL</key> <string>https://mdmserver.example.com/psso-app.plist</string> </dict> <key>AuthURL</key> <string>https://idp.example.com/authenticate</string> </dict> </dict> </plist> From Github I assume that both Response Types are welcomed hence I tried with Both Followed in JSON Mode, I redirected the HTTP request if MachineInfo contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true to https://platform-sso-node-server.vercel.app/redirectedDEPJSON Followed in XML Mode, I redirected the HTTP request if MachineInfo contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true to https://platform-sso-node-server.vercel.app/redirectedDEPXML In both Response Modes OS is not proceeding after and a error Stating Enrollment with Management Server Failed , Forbidden request (403) appears Can someone kindly guide on where I missed, or is this any OS Bug in Tahoe 26?

We have couple of devices that are registered into Platform SSO, and we have been noticing an issue when the user tried to login. After the users enters the password and hit the return key nothing happens, they need to hit the return key probably 10-15 times in order for the login to happen, the password entered is the correct one and it's just that hitting the return key doesn't invoke the login. On checking the log of the device one unusual thing that we noticed as compared to a different device where the login is working in a single go is that the AppSSOAgent or AppSSODaemon process were not getting invoked

Wondering if others have encountered this issue with PSSO 2.0. We are observing that if, after registration, a user changes their IDP password, they may be prompted for their previous password in order to unlock the Keychain. We are trying to determine if this is expected behavior or if there is a way to avoid it. To reproduce this, the flow would be as follows: user registers with PSSO user logs out and logs back in with their IDP password user is authenticated (and not prompted for previous password) user logs out user changes their IDP password on another machine user logs in and is prompted to use their previous password to unlock the Keychain. Failure to provide the previous password nukes the Keychain, which is not an outcome we want. Any insight anyone has on this issue would be most welcome. Thanks

Hi all. So, I built the platform SSO extension on a demo server I created and everything ran smoothly. I get the tokens at the end of the process. Now, I want to use the tokens when I trigger my SSO extension in my domain from Safari. I trigger my domain, get into the beginAuthorization method, get the request.loginManager?.ssoTokens and then want to return them to Safari by calling the request.complete method. But, no matter what complete method I call (complete(httpResponse: HTTPURLResponse, httpBody: Data?) or complete(httpAuthorizationHeaders: [String : String]) where I insert the Bearer token into the Authorization header, it will not drill down to Safari or my server. The headers I try to send back are not moving from the extension to Safari. Some knows why its happening? Thank you for any help or suggestion.

Hi, I'm currently in the middle of debugging between my macOS and server for implementing Platform SSO. As part of the debug process, I sometimes want to restart the whole process, which means to get into the beginDeviceRegisteration method again. I noticed that even if I push the Repair button in the user (under settings) it will go again and again into the beginUserRegistration, but it will not go again to the device registration. Is there an option to reset the Platform SSO device registration? (already tried Repair, remove MDM profile of the PSSO etc.)

I'm attempting to make an alternative to the MS Company Portal app. We are looking to implement PSSO in our organization and are not satisfied with the features that Company Portal offers. One example of this is, we don't like what the password reset workflow looks like. We'd like to make it so the reset process is more fluid. Additionally, we want to report the status of the service more readily (not requiring clicking so far into System Settings to locate it). These are just a couple examples of what we're not thrilled with... In light of this, my desire is to create another app, that includes a PSSO extension that is able to connect to Entra. I have scoured the internet, developer portal, and macadmin forum... and have failed to find a comprehensive guide for helping me through this. Currently Using: IDP: Entra Language: SwiftUI Frameworks: MSAL and KeychainAccess Any help would be great... a comprehensive guide would be AMAZING!

I'm currently exploring Apple's Auth-Plugin extension and have modified the authdb to log in to a Mac device without using the default login password. Specifically,I am replacing builtin:authenticate,privileged with a custom privileged mechanism that authenticates the user and grants desktop access based on our custom logic. However, this approach does not unlock the user's Keychain. Since I'm bypassing the login password, the Keychain remains locked. I'm considering whether a certificate-based persistent token could be used to unlock the Keychain. Is this approach recommended, or is there a more suitable solution, such as using CryptoTokenKit or another available API?

Hi, im trying to make a Platform single sign-on app for my Idp, and I have tried online to try and find some code/ a demo app for this I cannot find anything for the Mac OS Side, there is someone who's created the server, but no info for that on what the Mac extension should do. I have tired implementing the 2 function to required, but to no luck. After reading what I think is all of the document I'm still really confused as to how this is all supposed to work. I have got to the stage where it create the popup that says you need to authenticated with your idp but cannot work out the bugs for the rest of it. manly im getting an issue in the console that says no login config for (username) and im not sure what im doing wrong.

Hey guys, I have recently started with developing an extension to support PSSO, I am at a very initial stage and trying out device registration. I am trying to fetch the registration token in my MDM profile but when running in debug mode I don't see the token , and also when I see the console log I see errors like error 14:44:00.465847+0530 AppSSODaemon Error Domain=com.apple.PlatformSSO Code=-1004 "no device configuration data to load" UserInfo={NSLocalizedDescription=no device configuration data to load} error 14:44:00.466434+0530 AppSSOAgent Error Domain=com.apple.PlatformSSO Code=-1004 "no device configuration" UserInfo={NSLocalizedDescription=no device configuration}, user default 14:44:00.466145+0530 AppSSODaemon -[PODaemonProcess deviceConfigurationForIdentifer:completion:] identifer = 96DBA2E4-6DB8-4937-85A8-69F7632B8717 on <private> error 14:44:00.466773+0530 SSO extension Error Domain=com.apple.PlatformSSO Code=-1001 "failed to retrieve SecKeyProxyEndpoint for key" UserInfo={NSLocalizedDescription=failed to retrieve SecKeyProxyEndpoint for key, NSUnderlyingError=0x14b608820 {Error Domain=com.apple.PlatformSSO Code=-1001 "Failed to receive key proxy endpoint." UserInfo={NSLocalizedDescription=Failed to receive key proxy endpoint.}}} I think due to some reason the PSSO process is not able to get the token from my configuration. And this is how my configuration profile looks like <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>ExtensionIdentifier</key> <string>com.test.PSSO.SSO-extension</string> <key>PayloadDisplayName</key> <string>ingle Sign-On Extensions</string> <key>PayloadIdentifier</key> <string>com.apple.extensiblesso.96DBA2E4-6DB8-4937-85A8-69F7632B8717</string> <key>PayloadType</key> <string>com.apple.extensiblesso</string> <key>PayloadUUID</key> <string>CDC67F3E-0687-4796-95B0-A61EF6F3F9A7</string> <key>PayloadVersion</key> <integer>1</integer> <key>TeamIdentifier</key> <string>my_team_identifier</string> <key>Type</key> <string>Redirect</string> <key>RegistrationToken</key> <string>dummy_token_123</string> <key>PlatformSSO</key> <dict> <key>AuthenticationMethod</key> <string>Password</string> <key>EnableAuthorization</key> <true/> <key>EnableCreateUserAtLogin</key> <true/> <key>NewUserAuthorizationMode</key> <string>Standard</string> <key>UseSharedDeviceKeys</key> <true/> <key>UserAuthorizationMode</key> <string>Standard</string> </dict> <key>URLs</key> <array> <string>my_url</string> </array> </dict> </array> <key>PayloadDisplayName</key> <string>SSOE</string> <key>PayloadIdentifier</key> <string>com.test.psso.configuration</string> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>0DC6670F-F853-49CB-91B3-1C5ECB5D3F46</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>