Updated 09/30/2025
Introduction
This is Part 3 of a 5 Part blog series on How to Configure Apple Platform SSO using Workspace ONE UEM. In this part we will be discussing how to configure Apple Platform SSO for use with the Okta Desktop Password Sync.
Part 1 – What is Apple Platform SSO
Part 2 – How to configure Apple Platform SSO with Microsoft EntraID
Part 3 – How to configure Apple Platform SSO with Okta Desktop Password Sync
Part 4 – How to configure Apple Platform SSO with Omnissa Access
Part 5 – Troubleshooting
The Apple PSSO Configuration Cheat Sheet for Okta
Pre-requisites:
For PSSO with Okta you must purchase a license from Okta to use this feature. Currently the license is available through the Okta Device Access SKU which includes Okta’s Desktop MFA for macOS and Okta Desktop Password Sync.
Okta has implemented Platform SSO within the Okta Device Access technology. Okta Device Access includes a technology named Password Sync that synchronizes the macOS local account password with the end user’s Okta password. This allows the end user to use their Okta password to login. This blog does not cover configuring and deploying Okta Desktop Password Sync which is done from the Okta Admin console. Okta has more details on how to enable this feature on their website but this is a pre-requisite to continue. https://help.okta.com/oie/en-us/content/topics/oda/macos-pw-sync/macos-pw-sync.htm
A second prerequisite is that Okta must be configured as a certificate authority for device access. Once more refer to Okta’s documentation https://help.okta.com/oie/en-us/content/topics/oda/oda-as-scep.htm.
The Workspace ONE UEM Console needs to be running 2506 Patch 6 and higher to use the built-in UEM Profiles for PSSO due to bugs that existed in all previously console versions. Any UEM console version lower 2506 Patch 6 will result in broken payloads due to bugs. I continue to recommend using Custom Settings to deploy these payloads so they will work in any version of UEM.
To Configure Apple Platform SSO with Okta Desktop Password Sync:
- Modify the Primary User in DEP Profile to include @ symbol
- Configure SCEP for Device Access
- Deploy the Okta Verify App
- Configure the SSO Extension Payload (Custom Settings recommended)
Configuration Steps in Detail:
Step 1 of 4: Modify the Primary User in the Automated Device Enrollment configuration to include the @ symbol
When a macOS device is at the login window, the only way for PSSO to be triggered is for the username to contain the @ symbol. During Setup Assistant you can set the Primary User Account to include the @ symbol. I suggest changing the Automated Device Enrollment profile to make the Primary User Account Username be the email address. Doing this will eliminate four for the steps from the workflow illustrated above.
In Workspace ONE UEM Console, to change the Primary User Account Username to be the email address, navigate to
Groups & Settings > All Settings > Devices & Users > Apple > Apple Business Manager > and edit your existing Profile then scroll all the way to the bottom to the Primary User account section.
Step 2 of 4: Configure SCEP for device access
Omnissa has published a guide on Techzone which can be found here: https://techzone.omnissa.com/resource/configuring-macos-platform-sso-using-okta-and-workspace-one-uem. Use this guide to complete this step.
Step 3 of 4: Add Okta Verify to UEM
Continue following the Omnissa Techzone guide to push the Okta Verify App to macOS Devices.
Step 4 of 4: Configure the 4 Custom Settings Payloads
In the Workspace ONE UEM Console create 4 new Profiles, each with a single Custom Settings Payload. Using the payloads below for guidance make the following changes to the sections that are highlighted in red:
Okta Custom Settings Payload 1 of 4:
- Replace acme.oktapreview.com with your Okta Domain Name.
- In the Okta Admin console the Platform Single Sign On App will include a Client ID. Replace the string value below of 0asdvkgomgeTHTnf3ssg with your actual Client ID.
- In this example the Okta username is the email address so the value {EmailAddress} is used. If you use a different format for your Okta username edit this string accordingly.
<dict>
<key>PayloadContent</key>
<dict>
<key>com.okta.mobile.auth-service-extension</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>OktaVerify.OrgUrl</key>
<string>https://acme.oktapreview.com</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>0asdvkgomgeTHTnf3ssg</string>
<key>OktaVerify.UserPrincipalName</key>
<string>{EmailAddress}</string
<key>PlatformSSO.ProtocolVersion</key>
<string>2.0</string>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadDisplayName</key>
<string>Custom Settings</string>
<key>PayloadIdentifier</key>
<string>com.okta.mobile.auth-service-extension.3A02EFFF-07A9-425A-A175-4092C3659804</string>
<key>PayloadOrganization</key>
<string>COMPANY</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>3A02EFFF-07A9-425A-A175-4092C3659804</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>Okta Custom Settings Payload 2 of 4:
- Replace acme.oktapreview.com with your Okta Domain Name.
- In the Okta Admin console the Platform Single Sign On App will include a Client ID. Replace the string value below of 0asdvkgomgeTHTnf3ssg with your actual Client ID.
- In this example the Okta username is the email address so the value {EmailAddress} is used. If you use a different format for your Okta username edit this string accordingly.
<dict>
<key>PayloadContent</key>
<dict>
<key>com.okta.mobile</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>OktaVerify.OrgUrl</key>
<string>https://acme.oktapreview.com</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>0asdvkgomgeTHTnf3ssg</string>
<key>OktaVerify.UserPrincipalName</key>
<string>{EmailAddress}</string>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadDisplayName</key>
<string>Custom Settings</string>
<key>PayloadIdentifier</key>
<string>com.okta.mobile.E9100C26-00DD-4B27-B583-D7D14F3B0B69</string>
<key>PayloadOrganization</key>
<string>COMPANY</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>E9100C26-00DD-4B27-B583-D7D14F3B0B69</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>Okta Custom Settings Payload 3 of 4:
- Replace acme.oktapreview.com with your Okta Domain Name.
<dict>
<key>Configuration</key>
<array>
<dict>
<key>ApplicationIdentifier</key>
<string>B7F62B65BN.com.okta.mobile.auth-service-extension</string>
<key>AssociatedDomains</key>
<array>
<string>authsrv:acme.oktapreview.com</string>
</array>
<key>EnableDirectDownloads</key>
<false/>
</dict>
<dict>
<key>ApplicationIdentifier</key>
<string>B7F62B65BN.com.okta.mobile</string>
<key>AssociatedDomains</key>
<array>
<string>authsrv:acme.oktapreview.com</string>
</array>
<key>EnableDirectDownloads</key>
<false/>
</dict>
</array>
<key>PayloadDescription</key>
<string>AssociatedDomainsSettings</string>
<key>PayloadDisplayName</key>
<string>Associated Domains</string>
<key>PayloadIdentifier</key>
<string>684B9C05-0A51-4837-8FC6-45990DE795FB.Associated Domains</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.associated-domains</string>
<key>PayloadUUID</key>
<string>684B9C05-0A51-4837-8FC6-45990DE795FB</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>Okta Custom Settings Payload 4 of 4:
- Replace acme.oktapreview.com with your Okta Domain Name.
- In this example the string Okta Platform SSO Dev is what will be displayed to users for account notifications and authentication requests. Edit this accordingly.
<dict>
<key>PlatformSSO</key>
<dict>
<key>LoginFrequency</key>
<integer>64800</integer>
<key>AccountDisplayName</key>
<string>Okta Platform SSO Dev</string>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>UseSharedDeviceKeys</key>
<true />
</dict>
<key>ExtensionIdentifier</key>
<string>com.okta.mobile.auth-service-extension</string>
<key>Type</key>
<string>Redirect</string>
<key>TeamIdentifier</key>
<string>B7F62B65BN</string>
<key>URLs</key>
<array>
<string>https://acme.oktapreview.com/device-access/api/v1/nonce</string>
<string>https://acme.oktapreview.com/oauth2/v1/token</string>
</array>
<key>PayloadDisplayName</key>
<string>SSO Extension</string>
<key>PayloadDescription</key>
<string>SsoExtensionSettings</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.extensiblesso</string>
<key>PayloadUUID</key>
<string>3509A4EB-DE92-41FB-956E-FF2C656A51EC</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>3509A4EB-DE92-41FB-956E-FF2C656A51EC.SSOExtension</string>
</dict>Acknowledgements
A huge thank you to Bo Leksono and Cameron Megaw for helping to sort this out and come up with a working solution. I personally do not test with Okta.
Next Steps
With the configuration out of the way the next step would be to review Part 5 for some tips on troubleshooting.
Part 1 – What is Apple Platform SSO
Part 2 – How to configure Apple Platform SSO with Microsoft EntraID
Part 3 – How to configure Apple Platform SSO with Okta Desktop Password Sync
Part 4 – How to configure Apple Platform SSO with Omnissa Access
Part 5 – Troubleshooting