Редактиране

Споделяне чрез


Join a Mac device with Microsoft Entra ID using Company Portal (preview)

In this tutorial, you will learn how to register a Mac device with macOS Platform Single Sign-on (PSSO) using Company Portal and the Intune MDM enrollment with Microsoft Entra Join. There are three methods in which you can register a Mac device with PSSO, secure enclave, smart card, or password. We recommend using secure enclave or smart card for the best passwordless experience, however it's important to note that this method will be preset by your company administrator using Microsoft Intune.

Prerequisites

  • A recommended minimum version of macOS 14 Sonoma. While macOS 13 Ventura is supported, we strongly recommend using macOS 14 Sonoma for the best experience.
  • Microsoft Intune Company Portal app version 5.2404.0 or later
  • A Mac device enrolled in mobile device management (MDM) with Microsoft Intune.
  • A configured SSO extension MDM payload with PSSO settings in Intune by an administrator
  • Microsoft Authenticator (recommended), the user must be registered for some form of Microsoft Entra ID multifactor authentication (MFA) to complete device registration.
  • For smart card setup, certificate based authentication configured and enabled. A smart card loaded with a certificate for authentication with Microsoft Entra and the smart card paired with local account.

Intune MDM and Microsoft Entra Join using Company Portal

To register a Mac device with PSSO, you must first enroll your device in Microsoft Intune using the Company Portal app. Once enrolled, you can use secure enclave, smart card, or password to register your device with PSSO.

  1. Open the Company Portal app and select Sign in.

  2. Enter your Microsoft Entra ID credentials and select Next.

  3. You're prompted to Set up {Company} access. The placeholder "Company" is different depending on your setup. Select Begin, then on the next screen, select Continue.

    Screenshot of the Company portal access setup window.

  4. You're presented with steps to install the management profile, which should be set up by an administrator using Microsoft Intune. Select Download profile.

    Screenshot of a Company Portal window requesting the user to download the management profile.

  5. Open Settings > Privacy & Security > Profiles if it doesn't automatically appear. Select Management Profile.

    Screenshot of the Settings app Profiles showing a downloaded management profile.

  6. Select Install to get access to company resources.

    Screenshot the prompt to install the management profile in settings.

  7. Enter your local device password in the Profiles window that appears and select Enroll.

    Screenshot of the profiles window requesting a password to enroll you into an MDM service.

  8. You'll see a notification in Company Portal that the installation is complete. Select Done.

Platform SSO registration

Now that the device is in compliance with Company Portal, you need to register your device with PSSO. A Registration Required popup appears at the top right of the screen following successful completion of Intune MDM and Microsoft Entra Join using Company Portal. Use the tabs to register your device with PSSO using secure enclave, smart card, or password.

  1. Navigate to the Registration Required popup at the top right of the screen. Hover over the popup and select Register. For macOS 14 Sonoma users, you'll see a prompt to register your device with Microsoft Entra. This prompt doesn't appear for macOS 13 Ventura.

    Screenshot of a Microsoft Entra registration prompt that appears on macOS 14 after the registration required notification is selected.

  2. Once your account is unlocked with Touch ID or password, select the account to sign in to, enter your sign-in credentials and select Next.

  3. MFA is required as part of this sign in flow. Open your Authenticator app (recommended) or use your other MFA methods you have registered, and enter the number displayed on the screen to finish registration.

  4. When the MFA flow completes and the loading screen disappears, your device should be registered with PSSO. You can now use PSSO to access Microsoft app resources.

Enable Platform Credential for macOS for use as a passkey

Setting up your device using secure enclave method enables you to use the resulting credential saved to the Mac as a passkey in the browser. To enable it;

  1. Open the Settings app, and navigate to Passwords > Password options.

  2. Under Password Options, find Use passwords and passkeys from and enable Company Portal through the toggle switch.

    Screenshot of the Password Options window indicating that the use of passwords and passkeys from Company Portal has been enabled by a switch.

Check your device registration status

Once you've completed the steps above, it's a good idea to check your device registration status.

  1. To check that registration has completed successfully, navigate to Settings and select Users & Groups.

  2. Select Edit next to Network Account Server and check that Platform SSO is listed as Registered.

  3. To verify the method used for authentication, navigate to your username in the Users & Groups window and select the Information icon. Check the method listed, which should be Secure enclave, Smart Card, or Password.

    Note

    You can also use the Terminal app to check the registration status. Run the following command to check the status of your device registration. You should see in the bottom of the output that SSO tokens are retrieved. For macOS 13 Ventura users, this command is required to check the registration status.

    app-sso platform -s
    

Update your Mac device to enable PSSO

For macOS users whose device is already enrolled in Company Portal, your administrator can enable PSSO by updating your device's SSO extension profile. Once the PSSO profile is deployed and installed on your device, you're prompted to register your device with PSSO via the Registration Required notification at the top right of the screen. This will remove the old SSO registration from your device in place of the new PSSO registration.

Although it's recommended to do it immediately, you can choose to select this and start your device registration at a time convenient to you.

See also