This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 74%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
We are in the process of enabling conditional access policies (CAP) in Azure and have hit a snag when it comes to MacOS users. As expected and described in the KB's (and even warned in the UX) when applying CAP's to MacOS devices the end user will be prompted for a device certificate in order to complete the SSO journey. All good there, however, we understood (maybe mistakenly) that deploying Company Portal to all devices and having the users complete the setup and import the portal certificate into their KeyChain (with "Always Allow") they would no longer be requested to accept new certificates. This unfortunately means our end users are up in arms about the "constant" requests in their browsers to accept certificates, and we haven't yet tried to touch more complex SSO scenarios such as GCP and AWS federation where users may be using impersonation and command line based SSO.
It's worth noting that we also use JamfPro, and all MacOS devices are "Azure AD Registered" and enrolled into Intune with a valid Compliance Policy.
Is there a solution to this problem?
Pictures for reference:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@James Seddon, Thanks for posting in Q&A. Based on my researching, In MacOS devices, when Azure AD identifies the device using a client certificate provisioned during device registration, the end user is prompted to select the certificate first before using the browser. Deploying the Microsoft Intune Company Portal app through Jamf Pro Self Service can help send the certificate to the Keychain. If the user has already imported the certificate into their KeyChain with "Always Allow" at least once, they should not be requested to accept new certificates. However, launching the Company Portal app manually from the Applications or Downloads folders won't register the device. We recommend directing end users through email, Jamf Pro notifications, or any other method your organization uses to complete device registration. Finally, consider creating a common Conditional Access policy to require a compliant device, to enhance your organization's security.
References:
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hey Crystal,
Thanks for the reply. The majority (90%+) of users have successfully enrolled into Intune/Azure, we used a scripted deployment to ensure company portal was installed and launched correctly as per the documentation. We also ran a report yesterday and can see the majority of users have the Workplace Join key in their keychain and a valid JamfAAD PLIST value.
We have also tested what happens during enrollment if a user fails to press "Always Allow" on the keychain request, and that does lead to more issues but does not resolve this issue.
Is it a requirement to deploy the SSO Plugin? Our MDM partner believes this isn't a requirement or related to the issue however there are a couple of things that make me believe this might resolve the issue:
@James Seddon, Thanks for the reply. For the SSO Plugin, you can test on one device to see if it is the solution. Or you can contact our Azure AD support to get more help on this.
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-get-support
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 81%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
By deploying the SSO Plugin, did it solve the issue?
@Anish Bhowmick Yes it did, we found that it's a hard requirement for this to work correctly.
@Anish Bhowmick Yes it did, we found that it's a hard requirement for this to work correctly.
Did the user had to accept the certificate in the initial stage or after the SSO it takes care of these prompts and login directly? And also does this works with chrome and firefox or how did you tackle those
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 26%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
The MS SSO Ext only works seamlessly with Safari and Edge browsers as these use Apple networking technologies underneath. For FF and Chrome, they do not use Apple networking technology so the experience is not as seamless for users. They will get prompted to 'trust' the WPJ cert. We were looking at a way to possibly automate that with a config profile but so far have not been successful.
Yep, the user has to accept the certificate, it's also important that they "Always Allow" it as well if not this seems to also cause more issues and can lead to having to re-register the device again.
@Maria Coniglio Can you provide some more context to your comment please, I'm curious what you mean by "Apple networking technology".
Check out this MS article: https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin specifically this box:
We are not using the Jamf Pro, all the devices are enrolled with the Intune user-based enrolment. can you please help us?