How To Configure Apple Platform SSO using Omnissa Workspace ONE UEM

Updated 10/21/2025

Introduction

This is Part 1 of a 6 Part blog series on How to Configure Apple Platform SSO using Workspace ONE UEM.

Part 1 – What is Apple Platform SSO

Part 2 – How to configure Apple Platform SSO for Kerberos with Microsoft AD or Microsoft Entra

Part 3 – How to configure Apple Platform SSO with Microsoft EntraID

Part 4 – How to configure Apple Platform SSO with Okta Desktop Password Sync

Part 5 – How to configure Apple Platform SSO with Omnissa Access

Part 6 – Troubleshooting

What is Apple Platform SSO?

The Apple Platform SSO (PSSO) Framework extends the macOS login window to allow users to synchronize local account credentials with an identity provider (IdP). Management of the macOS local account credential includes support for multiple authentication methods and replaces the need for binding macOS to Microsoft Active Directory. PSSO replaces previous Apple technologies that have attempted this in the past including Apple Enterprise SSO, Apple Kerberos SSO, and Apple LDAP Bind. In some cases it even replaces Jamf Connect and Xcreds. In short:

MDM + SSO Extension + IdP Plugin + Apple macOS 13.x or higher and PSSO is enabled.

PSSO is available for use as part of the macOS Login window and then used by applications for SSO. The framework supports user creation at the login window, tokens at the login window, and authorization database integration.

PSSO is NOT passwordless authentication for FileVault or macOS. Existing FIDO2 / Yubikey / Feititian / Titan users will not be replacing these methods with PSSO.

While Apple considers the feature generally available and functional as of macOS 13.x, they continue to fix bugs with it with each macOS release. The IdP’s are still in active development as are the MDM’s. The point here is that despite being available from Apple for a few years now, this technology is all still a work in progress.

Okta was the first IdP that has a shipping/generally-available/not-beta/not-tech preview version of this technology that customers can implement in production today. As of August of 2025 Microsoft went Generally Available with their support for macOS 13, 14 and 15 but not macOS 26. Omnissa is still working on adding support for PSSO with Workspace ONE Access.

I have broken this topic into 6 blogs, each covering in depth the specific implementation by the 3rd party vendors. As each vendor continues to improve and iterate their implementation I will continue to update these blogs with the most current information.

What about Managed Apple Accounts?

There is no requirement from Apple to use Managed Apple Accounts alongside PSSO; however in many cases it makes good sense to go ahead and implement both while you are implementing PSSO. You should evaluate the features available with Managed Apple Accounts before implementation of PSSO to determine if this move makes sense for your organization.

Apple PSSO – A Tale of 4 Choices

The first task for the I.T. Admin is to pick one of the four IdP based user authentication options supported by PSSO. In recent months the vendors are really only talking about Option 1 and Option 2 below but I’ll keep the references to 3 and 4 because they do still exist. Keep in mind that none of these methods support MFA for FileVault.

Your first decision point is which flavor of PSSO do you wish to implement:

Password and encrypted password.

In this mode the IdP uses the macOS local account password and keeps it in sync with a directory service. This includes password updates from the login window and screensaver unlock. One important caveat is that the IdP can NOT push password changes to the device. All password changes must be initiated from macOS. Another important point for this method is that Password changes are synced at 4-hour intervals based on when the user is logged in.

Microsoft is advocating this is the least secure version of PSSO and should not be used.
User Secure Enclave Key.

This is the method everyone should strive to use because it is the most phishing resist version. In this mode the Secure Enclave-backed key is used to authenticate with the IdP without a password and without changing the local account password. By using Secure Enclave the end user now has an origin binding with a hardware-backed key with no reusable secrets. The end result is the most phishing resist method available.

Things to know about this method:

1. There is NO password sync between the macOS local account password and the IdP password.

2. MFA is not available at the macOS Login screen
SmartCard.

In this mode the SmartCard is used to authenticate with the IdP. Apple added some enhancements to this method with macOS26.
Password with WS-Trust.

A federated IdP, meaning an IdP that facilities federated authentication across multiple security domains, can use the local account password for authentication.

To Create or Not Create New User Accounts?

During the PSSO Profile creation an administrator must define the behavior associated with new users that login to a device. This configuration is useful for shared device scenarios / kiosks / etc. The account management capabilities offered within the PSSO configuration payload include the ability to add or remove users from local macOS Groups as part of the creation step.

I had hoped this would allow the MDM to understand multi-user logins and adjust device registration according to who just logged in, but this turns out not to be true. With UEM, MDM registration is sill linked to the initial user that enrolls the device.

Zero Touch Onboarding

The beauty of macOS with Automated Device enrollment is how few end user actions it takes to pull a new macOS device out of the box and have the device configure itself automatically. Apple broke this experience with PSSO for macOS 13, 14, and 15 because PSSO can NOT be enabled during Setup Assistant.

With the release of macOS 26, Apple resolved this problem by moving PSSO into Setup Assistant; however the MDM’s have to add support for this feature and UEM does not support this new method.

What this means is that what should be an automated mostly silent process because a tedious end user driven experience prone to errors. How tedious…. well checkout this flowchart:

PSSO Apple macOS Device Registration Process (for macOS 13, 14 and 15)

Here is the high level summary of what happens on the macOS 13, 14, or 15 device needs to enable PSSO. The most important point to understand below is that user interaction is required:

As you can see from the steps above, there are a lot of moving parts and end user interaction, a log off, or reboot, and so there is really a lot that can break based on the technical nature of your end user.

It is necessary for all end users to complete this process to successfully enable PSSO.

Next Steps

If you want to understand PSSO in more technical detail I recommend spending 3 hours watching each of the 3 videos below. The first video is a one-hour introduction by Michael Epping from Microsoft and Mark Morowczynski. Note that all of these videos discuss PSSO as it exists and works with macOS 13, 14, and 15. Apple changes the game in macOS 26 but the concepts discussed remain the same.

If you want an even more in-depth understanding than this second one-hour video by Joel Rennich https://youtu.be/mkro_6BzOiY?si=ZOf5mXKMkZ8GHvqm is well worth your time.