Updated 09/29/2025
Introduction
This is Part 3 of a 5 Part blog series on How to Configure Apple Platform SSO using Workspace ONE UEM.
Part 1 – What is Apple Platform SSO
Part 2 – How to configure Apple Platform SSO with Microsoft EntraID
Part 3 – How to configure Apple Platform SSO with Okta Verify
Part 4 – How to configure Apple Platform SSO with Omnissa Access
Part 5 – Troubleshooting
The Apple PSSO Configuration Cheat Sheet
Pre-requisites:
For PSSO with Okta you must purchase a license from Okta to use this feature. Currently it is available through the Okta Device Access SKU which includes Okta’s Desktop MFA for macOS and Okta Desktop Password Sync. Okta has implemented Platform SSO in the Desktop Password Sync app which relies on the Okta Verify App.
The Workspace ONE UEM Console needs to be running 2506 Patch 6 and higher to use the built-in UEM Profiles for PSSO due to bugs that existed in all previously console versions. Any UEM console version lower 2506 Patch 6 will result in broken payloads due to bugs. I continue to recommend using Custom Settings to deploy these payloads so they will work in any version of UEM.
To Configure Apple Platform SSO with Okta Verify:
- Modify the Primary User in DEP Profile to include @ symbol
- Add the Okta Verify app to UEM as an app and as a bootstrap package then deploy to your devices.
- Configure the SSO Extension Payload (Custom Settings recommended)
- Deploy the UEM Sensor to track progress
Important Caveat: I am not covering the Identity Provider configuration steps, which are also a pre-requisite to be in place BEFORE attempting to deploy these profiles. You should consult your current IdP vendor documentation for the specific server side configurations required to enable SAML based authentication with your IdP. SAML based authentication with an IdP is a pre-requisite to everything being described below.
Configuration Steps in Detail:
Step 1 of 4: Modify the Primary User in the Automated Device Enrollment configuration to include the @ symbol
When a macOS device is at the login window, the only way for PSSO to be triggered is for the username to contain the @ symbol. During Setup Assistant you can set the Primary User Account to include the @ symbol. I suggest changing the Automated Device Enrollment profile to make the Primary User Account Username be the email address. Doing this will eliminate four for the steps from the workflow illustrated above.
In Workspace ONE UEM Console, to change the Primary User Account Username to be the email address, navigate to
Groups & Settings > All Settings > Devices & Users > Apple > Apple Business Manager > and edit your existing Profile then scroll all the way to the bottom to the Primary User account section.
Step 2 of 4: Add Okta Verify to UEM:
Each vendor has their own Plugin Application. The app needs to be uploaded to UEM as an app and then deployed to all of your devices prior to enabling the profile. I recommend uploading both a Bootstrap Package AND as a fully-managed App (set to Optional deployment and published via UEM Freestyle Orchestrator). Having both a bootstrap app and a normal app available in UEM ensures that the IdP-Plugin is ready to go for new devices running through Setup Assistant and for existing devices that will be available as part of a Freestyle Workflow.
Step 3 of 4: Configure the 4 SSO Payloads
In the Workspace ONE UEM Console create 4 new Profiles, each with a single Custom Settings Payload as follows:
Payload 1 of 4:
(edit your strings according to your Okta implementation, sample data is included):
<dict>
<key>PayloadContent</key>
<dict>
<key>com.okta.mobile.auth-service-extension</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>OktaVerify.OrgUrl</key>
<string>https://acme.oktapreview.com</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>0asdvkgomgeTHTnf3ssg</string>
<key>OktaVerify.UserPrincipalName</key>
<string>{EmailAddress}</string>
<key>PlatformSSO.ProtocolVersion</key>
<string>2.0</string>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadDisplayName</key>
<string>Custom Settings</string>
<key>PayloadIdentifier</key>
<string>com.okta.mobile.auth-service-extension.3A02EFFF-07A9-425A-A175-4092C3659804</string>
<key>PayloadOrganization</key>
<string>COMPANY</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>3A02EFFF-07A9-425A-A175-4092C3659804</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>Payload 2 of 4:
(edit your strings according to your Okta implementation, sample data is included)
<dict>
<key>PayloadContent</key>
<dict>
<key>com.okta.mobile</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>OktaVerify.OrgUrl</key>
<string>https://acme.oktapreview.com</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>0asdvkgomgeTHTnf3ssg</string>
<key>OktaVerify.UserPrincipalName</key>
<string>{EmailAddress}</string>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadDisplayName</key>
<string>Custom Settings</string>
<key>PayloadIdentifier</key>
<string>com.okta.mobile.E9100C26-00DD-4B27-B583-D7D14F3B0B69</string>
<key>PayloadOrganization</key>
<string>COMPANY</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>E9100C26-00DD-4B27-B583-D7D14F3B0B69</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>Payload 3 of 4:
(edit your strings according to your Okta implementation, sample data is included)
<dict>
<key>Configuration</key>
<array>
<dict>
<key>ApplicationIdentifier</key>
<string>B7F62B65BN.com.okta.mobile.auth-service-extension</string>
<key>AssociatedDomains</key>
<array>
<string>authsrv:acme.oktapreview.com</string>
</array>
<key>EnableDirectDownloads</key>
<false/>
</dict>
<dict>
<key>ApplicationIdentifier</key>
<string>B7F62B65BN.com.okta.mobile</string>
<key>AssociatedDomains</key>
<array>
<string>authsrv:acme.oktapreview.com</string>
</array>
<key>EnableDirectDownloads</key>
<false/>
</dict>
</array>
<key>PayloadDescription</key>
<string>AssociatedDomainsSettings</string>
<key>PayloadDisplayName</key>
<string>Associated Domains</string>
<key>PayloadIdentifier</key>
<string>684B9C05-0A51-4837-8FC6-45990DE795FB.Associated Domains</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.associated-domains</string>
<key>PayloadUUID</key>
<string>684B9C05-0A51-4837-8FC6-45990DE795FB</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>Payload 4 of 4:
edit your strings according to your Okta implementation, sample data is included)
<dict>
<key>PlatformSSO</key>
<dict>
<key>LoginFrequency</key>
<integer>64800</integer>
<key>AccountDisplayName</key>
<string>Okta Platform SSO Dev</string>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>UseSharedDeviceKeys</key>
<true />
</dict>
<key>ExtensionIdentifier</key>
<string>com.okta.mobile.auth-service-extension</string>
<key>Type</key>
<string>Redirect</string>
<key>TeamIdentifier</key>
<string>B7F62B65BN</string>
<key>URLs</key>
<array>
<string>https://acme.oktapreview.com/device-access/api/v1/nonce</string>
<string>https://acme.oktapreview.com/oauth2/v1/token</string>
</array>
<key>PayloadDisplayName</key>
<string>SSO Extension</string>
<key>PayloadDescription</key>
<string>SsoExtensionSettings</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.extensiblesso</string>
<key>PayloadUUID</key>
<string>3509A4EB-DE92-41FB-956E-FF2C656A51EC</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>3509A4EB-DE92-41FB-956E-FF2C656A51EC.SSOExtension</string>
</dict>Step 4 of 4: Deploy UEM Sensor to track progress
In order to track the rollout and success of PSSO I recommend the following UEM Sensor be deployed which allows reporting back on the status of your PSSO rollout. I found this recommended out on the Internet somewhere and apologize for not remembering where I got it in order to credit the original author, but whoever wrote this I extend a thank you for sharing it:
#!/bin/bash
# Get the current logged-in user
currentUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ($2 != "loginwindow") { print $2 }}')
# Check if the user is valid
if [[ -z "$currentUser" ]]; then
echo "<result>No user logged in</result>"
exit 0
fi
# Check for Platform SSO status
pssoe_status=$(dscl . -read "/Users/$currentUser" dsAttrTypeStandard:AltSecurityIdentities 2>/dev/null | /usr/bin/awk -F'SSO:' '/PlatformSSO/ {print $2}')
# Error handling: If something goes wrong during the dscl or awk command
if [[ $? -ne 0 ]]; then
echo "<result>Error retrieving PSSO registration</result>"
exit 1
fi
# Determine the result based on the status
if [[ -z "$pssoe_status" ]]; then
echo "<result>No PSSO registration found</result>"
else
echo "<result>Yes, Entra ID account $pssoe_status registered to $currentUser</result>"
fiAcknowledgements
A huge thank you to Bo Leksono and Cameron Megaw for helping to sort this out and come up with a working solution. I personally do not test with Okta.
Omnissa has published a guide on Techzone which can be found here: https://techzone.omnissa.com/resource/configuring-macos-platform-sso-using-okta-and-workspace-one-uem
Next Steps
With the configuration out of the way the next step would be to review Part 5 for some tips on troubleshooting.
Part 1 – What is Apple Platform SSO
Part 2 – How to configure Apple Platform SSO with Microsoft EntraID
Part 3 – How to configure Apple Platform SSO with Okta Verify
Part 4 – How to configure Apple Platform SSO with Omnissa Access
Part 5 – Troubleshooting