Apple Platform Deployment
- Welcome
- Intro to Apple platform deployment
- What’s new
-
-
- Accessibility payload settings
- Active Directory Certificate payload settings
- AirPlay payload settings
- AirPlay Security payload settings
- AirPrint payload settings
- App Lock payload settings
- Associated Domains payload settings
- Automated Certificate Management Environment (ACME) payload settings
- Autonomous Single App Mode payload settings
- Calendar payload settings
- Mobile payload settings
- Mobile Private Network payload settings
- Certificate Preference payload settings
- Certificate Revocation payload settings
- Certificate Transparency payload settings
- Certificates payload settings
- Conference Room Display payload settings
- Contacts payload settings
- Content Caching payload settings
- Directory Service payload settings
- DNS Proxy payload settings
- DNS Settings payload settings
- Fonts payload settings
- Domains payload settings
- Energy Saver payload settings
- Exchange ActiveSync (EAS) payload settings
- Exchange Web Services (EWS) payload settings
- Extensible Single Sign-on payload settings
- Extensible Single Sign-on Kerberos payload settings
- Extensions payload settings
- FileVault payload settings
- Finder payload settings
- Firewall payload settings
- Fonts payload settings
- Global HTTP Proxy payload settings
- Google Accounts payload settings
- Home Screen Layout payload settings
- Identification payload settings
- Identity Preference payload settings
- Kernel Extension Policy payload settings
- LDAP payload settings
- Lights Out Management payload settings
- Lock Screen Message payload settings
- Login Window payload settings
- Managed Login Items payload settings
- Mail payload settings
- Network Usage Rules payload settings
- Notifications payload settings
- Parental Controls payload settings
- Passcode payload settings
- Printing payload settings
- Privacy Preferences Policy Control payload settings
- Relay payload settings
- SCEP payload settings
- Security payload settings
- Setup Assistant payload settings
- Single Sign-on payload settings
- Smart Card payload settings
- Subscribed Calendars payload settings
- System Extensions payload settings
- System Migration payload settings
- Time Machine payload specifics
- TV Remote payload settings
- Web Clips payload settings
- Web Content Filter payload settings
- LDAP payload settings
-
- Declarative app configuration
- Authentication credentials and identity asset declaration
- Background task management declarative
- Calendar declarative configuration
- Certificates declarative configuration
- Contacts declarative configuration
- Exchange declarative configuration
- Google Accounts declarative configuration
- LDAP declarative configuration
- Legacy interactive profile declarative configuration
- Legacy profile declarative configuration
- Mail declarative configuration
- Maths and Calculator app declarative configuration
- Passcode declarative configuration
- Passkey Attestation declarative configuration
- Safari extensions management declarative configuration
- Screen Sharing declarative configuration
- Service configuration files declarative configuration
- Software Update declarative configuration
- Software Update settings declarative configuration
- Storage management declarative configuration
- Subscribed Calendars declarative configuration
- Glossary
- Document revision history
- Copyright
Extensible Single Sign-on MDM payload settings for Apple devices
Use the Extensible Single Sign-on payload to define extensions for multi-factor user authentication on an iPhone, iPad or Mac enrolled in a mobile device management (MDM) solution.
This extension is for use by identity providers to deliver a seamless experience as users sign in to apps and websites. When properly configured using MDM, the user authenticates once then gains access to subsequent native apps and websites automatically. The following other features can be used with the Extensible Single Sign-On payload when implemented by the developer:
iCloud Keychain
Multi-factor authentication
Per-app VPN
User notification
In addition to providing the single sign-on extensions for third-party developers, iOS 13, iPadOS 13.1 and macOS 10.15 feature a built-in Kerberos extension that can be used to sign users in to native apps and websites that support Kerberos authentication.
The Extensible Single Sign-on payload supports the following. For more information, see Payload information.
Supported approval method: Requires user approval.
Supported installation method: Requires an MDM solution to install.
Supported payload identifier: com.apple.extensiblesso
Supported operating systems and channels: iOS, iPadOS, Shared iPad user, macOS device, macOS user, visionOS 1.1.
Supported enrolment types: User Enrolment, Device Enrolment, Automated Device Enrolment.
Duplicates allowed: True — only one Extensible Single Sign-on payload can be delivered to a user or device.
You can use the settings in the table below with the Extensible Single Sign-on payload.
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Extension identifier | The unique bundle ID for the app. | Yes | |||||||||
Team identifier | The unique team ID for the app. | Yes | |||||||||
Sign-on type |
| Yes | |||||||||
Authentication method macOS 13 or later | The Platform SSO authentication method the extension uses. Requires that the SSO extension also support the method.
| No | |||||||||
Registration token macOS 13 or later | The token this device uses for registration with Platform SSO. Use it for silent registration with the identity provider. Requires that Authentication Method not be empty. | No | |||||||||
Realm | The full Kerberos realm where the user’s account is located. This key is ignored for Redirect payloads. | No | |||||||||
Hosts | Approved domains that can be authenticated with the app extension. | No | |||||||||
URLs | Required for Redirect payloads. Ignored for Credential payloads. The URLs must begin with https:// or http://, the scheme and hostname are matched case-insensitively, query parameters and URL fragments aren’t allowed, and the URLs of all installed Extensible SSO payloads must be unique. | No | |||||||||
Note: Each MDM vendor implements these settings differently. To learn how various Extensible Single Sign-on settings are applied to your devices and users, consult your MDM vendor’s documentation.