Skip to content
BLOG

What is Platform SSO?

Meredith Kreisa headshot
Meredith Kreisa|Updated December 19, 2024
Stylized product illustration
Stylized product illustration
Sections

During its 2022 Worldwide Developers Conference (WWDC), Apple announced plans to introduce Platform Single Sign-On (SSO). Many in the ecosystem longed for the day when users could sign on to their Mac devices via the organization’s identity provider (IdP) for SSO authentication and automatically log in to every app, website, and service. Starting with macOS 13 Ventura, this dream became a reality: Platform SSO is finally here. We’ll break down what you should know about Platform SSO and Apple’s other authentication services.

What is Platform SSO?

Platform SSO is Apple’s most advanced single sign-on feature to date. Available for macOS 13 and later, it essentially replaces Active Directory binding. Local account credentials synchronize with your IdP so that users need to log in only once. After logging in to their iPhone, iPad, or macOS device with their credentials or smart card, they automatically have access to multiple applications, websites, and services. That means fewer passwords for SSO users to forget!

Platform SSO 2.0 (or Platform SSO V2, Version 2) is an updated version of Platform SSO that adds a new key service. According to Apple, this "enables an alternative registration flow and additional login configuration." This means new capabilities to support features like password syncing and creating users at login windows.

What is SSOe, and how does it relate to Platform SSO?

Single Sign-On Extension (SSOe), also known as Extensible SSO, is Platform SSO’s predecessor. Announced at WWDC 2019, SSOe required users to sign in twice: once to unlock the device and once to use the SSO extension. While it was a move in the right direction, Platform SSO takes it one step further by tying the local account directly to the single sign-on application.

If signing in just once saves each end user 10 seconds per day, that adds up to around 40 minutes over the course of the year. So if you have 100 users, you just saved your business over 60 labor hours per year. And that’s not even counting all the time your IT team will save thanks to fewer support tickets. Efficiency for the win!

What is Enrollment SSO?

Enrollment SSO leverages SSOe and Managed Apple ID to allow users to enroll a device. Powered by the identity service provider, this option simplifies Apple User Enrollment for BYOD devices and streamlines the initiation of remote Apple device management. The SSO user signs in with a Managed Apple ID, downloads the IdP app, and logs in with the native app experience (which provisions SSOe on the device). Then they can automatically sign in to all managed apps through SSOe.

How does Platform SSO work?

Platform SSO binds the user’s local account and cloud-based IdP user identity, automatically signing them into business apps when they log in to their Mac device with their IdP login credentials.

To do this securely, Platform SSO registers the device with the Secure Enclave-backed key so that the IdP knows the endpoint. The device profile, which is typically configured via an MDM profile, includes the necessary system settings for integrating with the IdP and enabling seamless SSO.

The Secure Enclave is a hardware-based security feature that generates and protects cryptographic keys for authentication.

For enhanced security, Device Access SCEP certificates are used to verify the device’s identity and enable secure communication between the device and the IdP or business apps. For shared devices, secure configurations ensure that each session remains protected. Additionally, the SSO token is refreshed according to Platform SSO policy set by the organization or IdP, allowing the user to remain signed in across apps without needing to reauthenticate repeatedly.

Combined with these security measures, the password works in conjunction with SSOe to refresh the login token and support multifactor authentication (MFA). This comprehensive approach ensures that access is secure, compliant, and in line with organizational policies, providing a layer of device access control as part of the zero-trust security model.

SimpleMDM Favicon

Streamline your Apple device management

Try SimpleMDM free for 30 days to see how the ultimate Apple MDM helps you manage your fleet with ease.

Start a free trial

How to configure Platform SSO with SimpleMDM

Configuring Platform SSO with SimpleMDM is one of the easiest things you’ll do all week. Just follow these steps:

  1. Configure the SSOe profile in SimpleMDM, setting the authentication method and providing a registration token for Platform SSO.

  2. Assign the profile to your devices.

  3. Check the identity provider vendor's documentation for other SSO configuration requirements and additional details.

Your boss doesn’t need to know how easy it was. Enjoy the free high fives!

Benefits of Platform SSO

When you enable SSO for user authentication, it simplifies multiple aspects of your device access management, identity management, user management, and security programs. Basically, it helps MacAdmins live their best lives. We’ll highlight just a few of the potential advantages.

Streamlined user authentication

Users log in just once and have access to the resources they need.

Compatibility with MFA

In conjunction with Platform SSO, you can add Face ID or Touch ID, a hardware key, or even push notifications for some apps.

Superior user experience

With password sync, users only have to remember one password, and they don’t have to reenter it constantly.

Fewer help desk tickets

Platform SSO enforces the password policy, and passwords don’t get out of sync. That means less legwork for your IT team.

Improved access management

Platform SSO simplifies user access control by centralizing the identity management process, allowing secure access to Apple devices with less effort.

Enhanced security

Allowing users to access multiple accounts through one set of credentials reduces the likelihood of password fatigue. Users can select strong, secure passwords without insurmountable suffering.

Better compliance

Since Platform SSO makes it easier to enforce uniform access policies and track authentication attempts, it also simplifies maintaining regulatory compliance. This can make compliance with standards like GDPR, HIPAA, or SOX more manageable.

Compatible identity providers

To use platform SSO, you need a compatible identity service provider. Okta was the first identity service provider to adopt Apple's Platform SSO extension, but Microsoft Entra ID (formerly Microsoft Azure Active Directory) also now supports Platform SSO.

At SimpleMDM, we want to make everything in life quick and easy — especially mobile device management. That’s why we already support Platform SSO. We also support SSOe because we’re no chumps. Want to stare slack-jawed at the incomparable convenience? Sign up for a free 30-day trial. Your users will never want to sign in to their accounts the old-fashioned way again.

Meredith Kreisa headshot
Meredith Kreisa

Meredith gets her kicks diving into the depths of IT lore and checking her internet speed incessantly. When she's not spending quality time behind a computer screen, she's probably curled up under a blanket, silently contemplating the efficacy of napping.

Related articles

generalnewbanner

How to test Apple's next operating systems

GENERAL IT

generalnewbanner

How to reset Mac passwords

GENERAL IT

generalnewbanner

What is an MDM profile?

GENERAL IT