How To Configure Apple Platform SSO using Omnissa Workspace ONE UEM

Updated 12/08/2025

Introduction

This is part one of a six part blog series on how to configure Apple Platform Single-Sign On (PSSO) using Omnissa Workspace ONE Unified Endpoint Management (UEM). Each part of the blog covers the various vendor configuration options and the series wraps up with a blog dedicated to troubleshooting. As each vendor continues to change their implementation these blogs will be updated.

Part 1 – What is Apple Platform SSO

Part 2 – How to configure Apple Platform SSO for Kerberos with Microsoft AD or Microsoft Entra

Part 3 – How to configure Apple Platform SSO with Microsoft EntraID

Part 4 – How to configure Apple Platform SSO with Okta Desktop Password Sync

Part 5 – How to configure Apple Platform SSO with Omnissa Access

Part 6 – Troubleshooting

What is Apple Platform Single Sign On?

Ever play The Legend of Zelda video game? In this video game from Nintendo the hero Link (not Zelda) must find and then assemble three magical triangles to form a bigger magical triangle named the Triforce. Epic stuff ensues. This is the best visual I can think of when trying to understand and configure Apple PSSO for macOS.

A macOS device configured with an Apple Account and PSSO

The three triangles used to form the Triforce represent the three unique user account objects that the remainder of this blog will be focused on:

Triangle 1 is the macOS Local Account and Password. Every macOS device will always have a local macOS account. The name of the account typically takes the form of First Name Last Name and the password associated with the local macOS account is unique to this account.

Triangle 2 is the Identity Provider (IDP) User Account and Password. The standard for IDP user accounts is generally the User Principal Name which is often the email address of the user. The password for this account is unique to this account.

Triangle 3 is the Apple Account (formerly named the Apple ID). Apple Accounts now come in two flavors: Personal Apple Accounts or Managed Apple Accounts, both with unique features. Both types are not directly involved in PSSO, they are more adjacent technologies and used for a different purpose, but it helps to keep them in the back of your mind. Apple accounts use an email address for the username. The password for this account is unique to this account.

By bringing together Apple Accounts and PSSO, organizations can create a magical experience for end users where in some cases authentication becomes passwordless. To be technically accurate here, the Apple Account is not part of the PSSO framework, we are mostly going to ignore that it even exists at all. It will come back up as part of this overall blog series so know the it exists, but for now just kinda forget that it is there. To be clear using an Apple Account is NOT a requirement to use PSSO. Like the Triforce the three user accounts are connected by the overall user experience on the device, but they are each unique pieces of the whole end user experience. When assembled, magic ensues. But keep in mind the accounts are three distinct objects.

What does PSSO do? The Apple Platform SSO (PSSO) Framework extends the macOS login window to allow users to synchronize local account credentials with an IDP. It’s the evolution of Apple’s SSO Extension that first shipped back in 2019 and in many cases it eliminates the need to bind macOS to Active Directory. Apple describes this evolution as follows, where new features are unlocked with each new macOS release:

The benefit of implementing PSSO boils down to the ability to reduce the number of times a user has to type in a username or password to authenticate to apps and websites. In some cases this can result in a password-less experience (once the user is logged into the macOS device.)

There are three requirements to turn on PSSO.

The first requirement is that the macOS must be running a version of macOS with the PSSO framework.
The macOS device must be enrolled in an MDM which deploys the configuration of PSSO.
The IDP must build an app that includes a plug-in to be able to communicate with the PSSO agent.

Visually this can be represented using this example of how Omnissa Workspace ONE access is going to market with this feature:

A more technical reference of the above illustration is the diagram below while illustrates the interaction of the various components. In the illustration below, the SSO Agent box represents all of the Apple PSSO technology.

While each MDM and each IDP make different configuration options available, there are a few more import details about PSSO to understand.

PSSO is NOT passwordless authentication for FileVault or macOS. People often use the term passwordless authentication to describe the end user experience of the macOS device AFTER the initial login has completed. This means that Existing FIDO2 / Yubikey / Feititian / Titan users will not be replacing these macOS logon methods with PSSO.

The Four Horsemen of Apple PSSO Authentication

PSSO supports multiple authentication protocols:

PSSO supports four methods of User Authentication which are described below. The first decision point for implementing PSSO is to pick one of the four methods.

Password and encrypted password.

If you think macOS should act a bit closer to how the Microsoft Windows OS handles login, this is the method for you. In this mode the IDP password is synchronized with the macOS local account password. The benefit to the end user is that there is one less unique password to remember. If Apple Accounts are in use on the device, they are excluded from password synchronization.

Things to know about this method:

1. Password updates from the login window and screensaver unlock are also supported. One important caveat is that the IDP can NOT push password changes to the device. All password changes must be initiated from macOS.

2. Password changes initiated from macOS are synced at 4-hour intervals based on when the user is logged in.

3. With this method anyone that knows the local macOS account password will be able to authenticate to any app configured to support PSSO. This model also encrypts and sends the local macOS account password across the wire for authentication requests. As a result Microsoft is advocating this is the least secure version of PSSO, subject to phishing attacks. While Microsoft supports this method, they generally do not recommend customers implement it.
User Secure Enclave Key.

In this mode a user logs into macOS with the macOS local account username and password. Authentication requests from the IDP do not use the local account password, instead they request a Secure Enclave-backed key. Someone geeked out and described this method as “by using Secure Enclave the end user now has an origin binding with a hardware-backed key with no reusable secrets.”

This method is the most phishing resist method available.

Things to know about this method:

1. There is NO password sync between the macOS local account password and the IDP password.

2. The macOS local account password is not used for authentication.

3. MFA is not available at the macOS Login screen
SmartCard.

PSSO’s primary function remains on authentication that happens AFTER the macOS login Window has been used to authenticate to the device. SmartCards can still be used to authenticate with the IDP. This method of PSSO is not discussed as part of this blog series.
Password with WS-Trust.

This fourth option technically exists but it will not be detailed in this blog series. In this method PSSO uses the local macOS account password for authentication to an IDP that facilities federated authentication across multiple security domains. If this is a method you have a use for reach out for more details.

Once you have picked one of the four methods above as your preferred method of authnetication you are ready to begin the configuration of the feature and the remaining blogs in the series will provide the technical details to do so.

PSSO Authenticated Guest Mode for Shared Mac

Managing the User Identity on Apple macOS devices that are shared by more than one user can be enhanced using macOS Tahoe’s new option PSSO Authenticated Guest Mode.

Organizations that need a faster login experience also have the ability to enable Quick Login:

When macOS is configured for shared use cases, keep in mind that Workspace ONE UEM will continue to link the macOS MDM registration to the initial user that enrolls the device.

PSSO macOS Device Registration and Simplified Setup

The beauty of macOS with Automated Device enrollment is how few end user actions it takes to pull a new macOS device out of the box and have the device configure itself automatically. For macOS 13, 14, and 15 because PSSO can NOT be enabled during Setup Assistant, users will have to complete a series of onboarding steps after the initial login to macOS.

With the release of macOS 26, Apple resolved this problem by moving PSSO into Setup Assistant, now branded “Simplified Setup.” MDM vendors have to add support for Simplified Setup before it can be enabled. At the time of this writing neither Microsoft Intune or Workspace ONE UEM support Simplified Setup meaning all PSSO registration steps must be completed post Setup Assistant. Both products will support Simplified Setup in the future. As you can see from the steps below, Simplified Setup for Platform SSO is a cleaner end user process.

Vendor Support for PSSO

Enabling PSSO requires three technologies to work together: a version of macOS with the framework, an MDM that supports the features of the framework, and an IDP that supports the features of the framework. Not all PSSO features are supported by each MDM and IDP.

Okta was the first IdP to have a shipping/generally-available/not-beta/not-tech preview version of PSSO that customers can implement in production today.

In August of 2025 Microsoft went Generally Available with their support for PSSO for macOS 13, 14 and 15. macOS 26 is supported but none of the new PSSO features included with macOS 26 are supported by Microsoft.

Google Workspace does not support PSSO.

Omnissa is still working on adding support for PSSO when Workspace ONE Access is used as the IDP. As an MDM, Workspace ONE UEM can be used to configure and deploy PSSO and the remainder of this blog series is focused on using Workspace ONE UEM to deploy the configuration.

Next Steps

If you want to understand PSSO in more technical detail I recommend spending three hours watching each of the three videos below. If you are ready to just deploy the technology scroll down and move on to the next parts of this blog series based on which IDP you are using.

All of these videos discuss PSSO as it works with macOS 13, 14, and 15 but are still valuable background to have.

The first video is a one-hour introduction by Michael Epping from Microsoft and Mark Morowczynski and can be viewed here https://www.youtube.com/watch?v=NEoKLSuO3gw

The second video is a one-hour video by Joel Rennich https://youtu.be/mkro_6BzOiY?si=ZOf5mXKMkZ8GHvqm