How to Configure Apple Platform SSO with Okta Desktop Password Sync

Updated 12/08/2025

Introduction

This is part four of a six part blog series on how to configure Apple Platform SSO using Omnissa Workspace ONE Unified Endpoint Management (UEM). Each part of the blog covers the various vendor configuration options and the series wraps up with a blog dedicated to troubleshooting. As each vendor continues to change their implementation these blogs will be updated.

Part 1 – What is Apple Platform SSO

Part 2 – How to configure Apple Platform SSO for Kerberos with Microsoft AD or Microsoft Entra

Part 3 – How to configure Apple Platform SSO with Microsoft EntraID

Part 4 – How to configure Apple Platform SSO with Okta Desktop Password Sync

Part 5 – How to configure Apple Platform SSO with Omnissa Access

Part 6 – Troubleshooting

The Apple PSSO Configuration Cheat Sheet for Okta

Pre-requisites:

For PSSO with Okta you must purchase a license from Okta to use this feature. Currently the license is available through the Okta Device Access SKU which includes Okta’s Desktop MFA for macOS and Okta Desktop Password Sync.

Okta has implemented Platform SSO within the Okta Device Access technology. Okta Device Access includes a technology named Password Sync that synchronizes the macOS local account password with the end user’s Okta password. This allows the end user to use their Okta password to login. This blog does not cover configuring and deploying Okta Desktop Password Sync which is done from the Okta Admin console. Okta has more details on how to enable this feature on their website but this is a pre-requisite to continue. https://help.okta.com/oie/en-us/content/topics/oda/macos-pw-sync/macos-pw-sync.htm

A second prerequisite is that Okta must be configured as a certificate authority for device access. Once more refer to Okta’s documentation https://help.okta.com/oie/en-us/content/topics/oda/oda-as-scep.htm.

A third prerequisite involves Okta vanity URLs. An Okta vanity URL is when Okta creates a tenant named CustomerName.okta.com but an I.T. Administrator wants their end users to use login.customername.com. While many Okta services support Vanity URLs, when building the Platform SSO profiles in UEM you must use the Okta provided URL or PSSO will not trigger.

The Workspace ONE UEM Console needs to be running 2506 Patch 6 and higher to use the built-in UEM Profiles for PSSO due to bugs that existed in all previously console versions. Any UEM console version lower 2506 Patch 6 will result in broken payloads due to bugs. I continue to recommend using Custom Settings to deploy these payloads so they will work in any version of UEM.

To Configure Apple Platform SSO with Okta Desktop Password Sync:

Modify the Primary User in DEP Profile to include @ symbol
Configure SCEP for Device Access
Deploy the Okta Verify App
Configure the SSO Extension Payload (Custom Settings recommended)

Configuration Steps in Detail:

Step 1 of 5: Modify the Primary User in the Automated Device Enrollment configuration to include the @ symbol

This step is optional, but recommended until Simplified Setup is supported and then this step will be revisited.

Remember the Triforce from Part 1? Each of the three user accounts can have a unique name and a unique password, or you could standardize the username format to be the email address across all three. Think about it: your IDP already uses email address for the user name. If you are using (or going to use) Apple Managed Accounts the account will be using the email address, so why not use the email address as the local macOS user name as well? This change can be configured in the Automated Device Enrollment profile.

If you need PSSO to trigger from the macOS Login window, the username being typed in must include an @ symbol. If you do not require PSSO at the macOS Login window and will only be using PSSO for post login related authentication this change is not required.

In the Workspace ONE UEM Console, to change the Primary User Account Username to be the email address, navigate to
Groups & Settings > All Settings > Devices & Users > Apple > Automated Device Enrollment > and edit your existing Profile > Scroll all the way to the bottom of the profile to the Primary User account section and update the Username to the {EmailAddress} variable.

Step 2 of 5: Configure SCEP for device access

Omnissa has published a guide on Techzone which can be found here: https://techzone.omnissa.com/resource/configuring-macos-platform-sso-using-okta-and-workspace-one-uem. Use this guide to complete this step.

Step 3 of 5: Add Okta Verify to UEM

The Okta Verify App must be installed on macOS to enable PSSO. In October 2025, the Okta Verify app for macOS was updated version 9.52.0 to support Simplified Setup. Unfortunately Workspace ONE UEM does not support Simplified Setup at this time but will do so in a future UEM Console upgrade. The recommendation is to always use the latest vendor supplied version of the application.

Download Okta Verify 9.52.0 or higher from Okta’s website.
Run the app through the Workspace ONE UEM Admin Assistant Tool.
Add the Okta Verify app to UEM as a fully managed app. Assign this app to a Smart Group that targets all macOS device but change the assignment from Auto to Manual.
After building the remaining PSSO Profile configurations, a Freestyle Workflow will be created to install Okta Verify on devices that require PSSO.

Step 4 of 5: Configure the 4 Custom Settings Payloads

In the Workspace ONE UEM Console create 4 new Profiles, each with a single Custom Settings Payload. Using the payloads below for guidance make the following changes to the sections that are highlighted in red:

Okta Custom Settings Payload 1 of 4:

Replace acme.oktapreview.com with your Okta Domain Name.
In the Okta Admin console the Platform Single Sign On App will include a Client ID. Replace the string value below of 0asdvkgomgeTHTnf3ssg with your actual Client ID.
In this example the Okta username is the email address so the value {EmailAddress} is used. If you use a different format for your Okta username edit this string accordingly.

<dict>
	<key>PayloadContent</key>
	<dict>
		<key>com.okta.mobile.auth-service-extension</key>
		<dict>
			<key>Forced</key>
			<array>
				<dict>
					<key>mcx_preference_settings</key>
					<dict>
						<key>OktaVerify.OrgUrl</key>
						<string>https://acme.oktapreview.com</string>
						<key>OktaVerify.PasswordSyncClientID</key>
						<string>0asdvkgomgeTHTnf3ssg</string>
						<key>OktaVerify.UserPrincipalName</key>
						<string>{EmailAddress}</string
                                                <key>PlatformSSO.ProtocolVersion</key>
                                                <string>2.0</string>
					</dict>
				</dict>
			</array>
		</dict>
	</dict>
	<key>PayloadDisplayName</key>
	<string>Custom Settings</string>
	<key>PayloadIdentifier</key>
	<string>com.okta.mobile.auth-service-extension.3A02EFFF-07A9-425A-A175-4092C3659804</string>
	<key>PayloadOrganization</key>
	<string>COMPANY</string>
	<key>PayloadType</key>
	<string>com.apple.ManagedClient.preferences</string>
	<key>PayloadUUID</key>
	<string>3A02EFFF-07A9-425A-A175-4092C3659804</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>

Okta Custom Settings Payload 2 of 4:

Replace acme.oktapreview.com with your Okta Domain Name.
In the Okta Admin console the Platform Single Sign On App will include a Client ID. Replace the string value below of 0asdvkgomgeTHTnf3ssg with your actual Client ID.
In this example the Okta username is the email address so the value {EmailAddress} is used. If you use a different format for your Okta username edit this string accordingly.

<dict>
	<key>PayloadContent</key>
	<dict>
		<key>com.okta.mobile</key>
		<dict>
			<key>Forced</key>
			<array>
				<dict>
					<key>mcx_preference_settings</key>
					<dict>
						<key>OktaVerify.OrgUrl</key>
						<string>https://acme.oktapreview.com</string>
						<key>OktaVerify.PasswordSyncClientID</key>
						<string>0asdvkgomgeTHTnf3ssg</string>
						<key>OktaVerify.UserPrincipalName</key>
						<string>{EmailAddress}</string>
					</dict>
				</dict>
			</array>
		</dict>
	</dict>
	<key>PayloadDisplayName</key>
	<string>Custom Settings</string>
	<key>PayloadIdentifier</key>
	<string>com.okta.mobile.E9100C26-00DD-4B27-B583-D7D14F3B0B69</string>
	<key>PayloadOrganization</key>
	<string>COMPANY</string>
	<key>PayloadType</key>
	<string>com.apple.ManagedClient.preferences</string>
	<key>PayloadUUID</key>
	<string>E9100C26-00DD-4B27-B583-D7D14F3B0B69</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>

Okta Custom Settings Payload 3 of 4:

Replace acme.oktapreview.com with your Okta Domain Name.

<dict>
	<key>Configuration</key>
	<array>
		<dict>
			<key>ApplicationIdentifier</key>
			<string>B7F62B65BN.com.okta.mobile.auth-service-extension</string>
			<key>AssociatedDomains</key>
			<array>
				<string>authsrv:acme.oktapreview.com</string>
			</array>
			<key>EnableDirectDownloads</key>
			<false/>
		</dict>
        <dict>
			<key>ApplicationIdentifier</key>
			<string>B7F62B65BN.com.okta.mobile</string>
			<key>AssociatedDomains</key>
			<array>
				<string>authsrv:acme.oktapreview.com</string>
			</array>
			<key>EnableDirectDownloads</key>
			<false/>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>AssociatedDomainsSettings</string>
	<key>PayloadDisplayName</key>
	<string>Associated Domains</string>
	<key>PayloadIdentifier</key>
	<string>684B9C05-0A51-4837-8FC6-45990DE795FB.Associated Domains</string>
	<key>PayloadOrganization</key>
	<string></string>
	<key>PayloadType</key>
	<string>com.apple.associated-domains</string>
	<key>PayloadUUID</key>
	<string>684B9C05-0A51-4837-8FC6-45990DE795FB</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>

Okta Custom Settings Payload 4 of 4:

Replace acme.oktapreview.com with your Okta Domain Name.
In this example the string Okta Platform SSO Dev is what will be displayed to users for account notifications and authentication requests. Edit this accordingly.

<dict>
        <key>PlatformSSO</key>
        <dict>
          <key>LoginFrequency</key>
          <integer>64800</integer>
          <key>AccountDisplayName</key>
          <string>Okta Platform SSO Dev</string>
          <key>AuthenticationMethod</key>
          <string>Password</string>
          <key>UseSharedDeviceKeys</key>
          <true />
        </dict>
        <key>ExtensionIdentifier</key>
        <string>com.okta.mobile.auth-service-extension</string>
        <key>Type</key>
        <string>Redirect</string>
        <key>TeamIdentifier</key>
        <string>B7F62B65BN</string>
        <key>URLs</key>
        <array>
          <string>https://acme.oktapreview.com/device-access/api/v1/nonce</string>
          <string>https://acme.oktapreview.com/oauth2/v1/token</string>
        </array>
        <key>PayloadDisplayName</key>
        <string>SSO Extension</string>
        <key>PayloadDescription</key>
        <string>SsoExtensionSettings</string>
        <key>PayloadOrganization</key>
        <string></string>
        <key>PayloadType</key>
        <string>com.apple.extensiblesso</string>
        <key>PayloadUUID</key>
        <string>3509A4EB-DE92-41FB-956E-FF2C656A51EC</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadIdentifier</key>
        <string>3509A4EB-DE92-41FB-956E-FF2C656A51EC.SSOExtension</string>
      </dict>

Step 5 of 5: Configure a UEM Freestyle Workflow to Deploy PSSO

Back in part three of this blog series step seven of the eight steps walks through how to build a UEM Freestyle workflow to deploy PSSO. Using that template as a guideline, build a Freestyle Workflow to install the Okta Verify App then the custom payloads defined above.

Acknowledgements

A huge thank you to Bo Leksono and Cameron Megaw for helping to sort this out and come up with a working solution. I personally do not test with Okta.