How Apple's Platform Single Sign-On is transforming Mac authentication in the enterprise
Overview
Authentication fatigue is real. IT departments spend countless hours managing password resets, while employees waste time juggling multiple credentials across corporate applications. Meanwhile, security teams battle an endless stream of phishing attempts targeting those same passwords.
Apple's **Platform Single Sign-On (PSSO) **for macOS represents a fundamental shift away from this broken model. Rather than treating authentication as an application-level concern, Platform SSO extends single sign-on capabilities directly into the operating system, creating a unified authentication experience that spans from the login window to every corporate application.
Throughout this document and subsequent pages there are several terms to familiarize yourself with:
| IDP | |
|---|---|
| PSSO / Platform SSO / Platform Single Sign- On | Identity provider such as Microsoft Entra, Okta Identity Engine, Ping, etc. |
| Secure Enclave / Secure Enclave Backed Keys / SEP | The Secure Enclave is a dedicated secure subsystem integrated into Apple system on a chip (SoC). The Secure Enclave is isolated from the main processor to provide an extra layer of security and is designed to keep sensitive user data secure even when the Application Processor kernel becomes compromised.More info here |
| Simplified Setup | A new method to require Platform SSO registration during the Setup Assistant during Automated Device Enrollment, which can also be used to create the first local user account on macOS |
.png)
Simplified Setup PSSO Registration during the Setup Assistant
.png)
Single Sign-On for Mac Platform SSO registration being presented on an existing computer
What Platform SSO Actually Does
Platform SSO transforms the managed device itself into the authenticator. The authorized organizational user accesses the device using their password or biometric credentials. Once unlocked, PSSO provides secure tokens to the IdP, enabling seamless authentication across both web and native applications managed by the identity provider. When combined with Jamf Pro's capabilities in macOS 26 to obtain device attestation directly from Apple, you could achieve a security trifecta: only a verified, trusted user operating a managed and authenticated device can access secure cloud resources. Platform SSO goes deeper, integrating authentication at the macOS system level.
When properly deployed, users authenticate once during login and automatically gain access to:
Corporate web applications such as Salesforce, DropBox Business, or Office 365
macOS applications such as Outlook, Slack, and Microsoft Teams
Cloud services and resources
The authentication happens transparently in the background, providing a seamless login experience to applications and services.
The Technical Foundation
Platform SSO integrates cloud identity into macOS. Identity providers can integrate at several point of authentication in the OS including local account password synchronization, requiring password validation against the cloud at system startup and wake events, or integrate TouchID authentication to establish best practice.
Credential Synchronization: Local Mac account credentials automatically sync with your organization's identity provider, eliminating password drift between local and cloud accounts.
Directory Services Replacement: Platform SSO can serve as a modern alternative to traditional Active Directory binding, which has become increasingly complex and unreliable in modern network environments.… especially in shared computer environments.
Relationship to SSOe
Platform SSO builds on Apple's underlying SSOe (Single Sign-On extensions) framework, which enables integration between cloud identity providers and macOS. While third-party SSOe applications can be deployed through MDM solutions, Platform SSO provides a broader, more integrated framework leveraging these same underlying technologies.
Identity Provider Support and Authentication Methods
Both Microsoft Entra ID and Okta support Platform SSO features as identity providers, however specific features and implementation details can differ between their solutions.
For example, the Platform SSO framework supports three authentication modes: Password, Secure Enclave-backed Key, or Smart Card. Both Microsoft Entra ID and Okta Identity Engine support password sync mode, and Microsoft's extension can also be configured to work in one of the other modes instead. Both Microsoft Entra ID and Okta Identity Engine also support phishing-resistant authentication.
Organizations planning Platform SSO deployments must carefully verify that their chosen authentication method aligns with their identity provider's current capabilities. The authentication landscape is evolving rapidly, and what's supported today may expand significantly over the coming months.
Platform SSO supports multiple authentication approaches, each suited to different organizational needs and security requirements. Use this table to identify which authentication method fits your IdP and use case:
| ### Authentication Methods |
|---|
| Feature |
| Password Authentication Mode (Password Sync) |
| Secure Enclave Key Authentication |
| Smart Card Integration |
| Tap to Login |
| Simplified Setup |
| Authenticated Guest Mode |
Technical Requirements
Platform SSO requires modern hardware and software:
Hardware: Mac with Apple silicon chip
Software: macOS 13 or later (macOS 26 required for newest features)
Management: MDM solution supporting Extensible Single Sign-on payloads such as Jamf Pro part of the Jamf for Mac offering.
Identity: Compatible identity provider with Platform SSO protocol support
Strategic Considerations
The Jamf Connect Question
If you've been reading this far, you may have asked yourself a number of questions:
Does implementing Platform SSO with a compatible IdP app replace the need for Jamf Connect at your organization?
While there is now a greater overlap in functionality once all devices are on macOS 26, there are still a number of differences to consider between solutions, which will inform your organization's identity strategy for your Macs.
Resources
Apple Platform Security - Secure Enclave
Configuring Simplified Setup for Platform SSO
Deploying macOS Platform SSO for Okta with Jamf Pro
Deploying macOS platform SSO for Microsoft Entra ID with Jamf Pro
Platform Single Sign on for macOS
Platform SSO Feedback / Survey
Considering Platform SSO for your organization? Start by evaluating your current identity provider compatibility and determining which authentication methods align with your security requirements and user experience goals.