The technology that we have available to us today intends to make the user experience as smooth as possible. With increasing cybercrime causing headaches for plenty of businesses, the need to constantly improve continues. Security protocols and device management are very high priorities for every organization.
One area that plays a significant role in improving any organization’s security posture is identity management. The best solutions on the market offer a seamless user experience that can improve how users interact with their devices.
It’s always interesting to look at how products and services from different organizations can combine. Ideally, separate brands fuse the best of what they each have for the benefit of their customers. It’s with this in mind that we want to look at how Microsoft Intune and Apple Identity Services do something similar. Both are bringing great solutions to their clients to improve security, as well as secure the user experience.
Microsoft Intune has a lot to offer
As we all know, Intune is a fantastic endpoint management solution. It simplifies app and device management across your various devices. This can include mobile devices, desktop computers, and virtual workstations.
So, it’s perfectly understandable why Intune is such a popular solution for many organizations. It’s a platform that is not only for Windows devices, but it also works brilliantly to improve Apple device management.
Your security will immediately improve because Intune ensures your macOS software is up to date. It then minimizes vulnerabilities by reducing manual tasks. Customers can expect a native macOS software update client experience, as well. This is because of how system update policies for macOS in Intune are built on Apple’s MDM commands. By implementing measures such as these, Intune helps you to reduce the overall attack surface of your business.
SIMPLIFIED APP MANAGEMENT
Another thing you can look forward to is doing away with the trouble of app conversion. This is because Intune is introducing a new application deployment service. Additionally, this new service leverages the Intune MDM agent to install, monitor, and report DMG-type applications. This ability will enable you to deploy in-place DMG app upgrades. It’s also capable of reducing some of the burden on IT staff while also making tasks easier.
In addition to this, Microsoft has been working on a solution that will simplify the deployment of apps. It will do so with custom scripts and apps that are unsigned. This new option, which leverages the Intune MDM agent to deploy PKG-type installers, is going to improve flexibility and customization. But, even with these changes being made, Microsoft has assured its customers that support for the native PKG-type app management experiences for macOS will continue.
ENHANCED USER EXPERIENCE
The provision of a consistent onboarding experience for all Apple devices is a top priority to enhance the experience for all users. Intune will be leaning on the Just-In-Time (JIT) macOS/iPadOS enrollment experience. This simplifies the Mac device onboarding process for users with corporate-owned devices.
Once enrollment finalizes, users can log in on the Enterprise Single Sign-On extension. From there, you can establish SSO across Azure AD-enabled apps and use their Azure AD password to log on to their Mac.
Coupled with the consistent onboarding experience, Intune is also determined to speed up the iOS enrollment process. Because of what the JIT functionality can offer, the iOS Company Portal app will no longer be necessary for AAD registration.
We’ll see a move towards web-based device enrollment, which is going to offer a swifter end-to-end enrollment process. This is a result of the reduced need to switch back and forth between the apps in addition to fewer authentication steps.
EFFICIENT DEVICE MANAGEMENT
Microsoft has also been working on a solution that supports local administrator account and local primary account creation during macOS ADE. This will allow customization of local administrator settings within new and existing macOS enrollment profiles for devices enrolling with user-device affinity.
A couple of years back, Microsoft Intune announced support for Declarative Device Management (DDM). Intune also extended DDM to the macOS settings catalog.
Arguably, one of the best things about DDM is how it can easily co-exist with the standard MDM protocol. It does so without negatively affecting the end-user experience. Customers can send the policies they have created in the settings catalog as well as DDM-based policies to DDM-enabled devices. They can also send the standard MDM-based policy to those devices using the older protocol.
Apple Identity Services
One of the things that have helped Apple distinguish itself over the years is excellent data and device security. In a world where nefarious actors are constantly attempting to exploit device vulnerabilities, businesses need solutions to safeguard their data. With Apple Identity services, your organization will get a product that can securely manage usernames and passwords.
The first measure we’ll talk about is authentication. This action refers to the process of verifying the identity of a user. Apple uses several authentication methods, such as single sign-on. Apple also provides for services, like personal Apple ID, Managed Apple ID, iCloud, iMessage, and FaceTime.
Once authentication measures verify the identity of a user, you then have authorization. This determines precisely what users are allowed to do. For this process, you need to provide a username and a password to an identity provider (IdP).
Essentially, what you have is an identity provider that functions as the authority. The username and password are also the assertion. Together with authentication and authorization, we can also talk about identity federation.
This process will establish trust between two parties and authenticate users. The result enables the linking of a user’s identity across multiple separate identity management systems. The identity federation process can only work effectively if admins set up domains that trust each other. And there also needs to be a single method to identify users.
Enhancing Authentication with Platform Single Sign-On
Users constantly need the services they use to improve so that they can better interact with technology and work more efficiently. In light of this, Apple saw it fit to introduce Platform Single Sign-On, which represents the evolution of authentication protocols.
This solution is replacing Active Directory, binding and simplifying life for users by requiring them to sign in only once. This is possible because, upon a successful user login, the local account credentials synchronize with the IdP. And it allows the user access to various other resources without needing to enter their password again. Platform SSO supports several authentication methods with an identity provider (IdP):
- Password and encrypted password
- Password with WS-Trust
- User secure enclave key
- SmartCard
New local user accounts are set up on demand by Platform SSO (PSSO) at the login window using IdP credentials. The service can also integrate IdP group membership with macOS. And in addition to this, network accounts can be used for authorization, and groups may also authorize network accounts.
Authentication
As new users go through the authentication process using credentials from their organization’s IdP, they can now have new local user accounts automatically created by macOS. The benefits of this to your organization are several, including:
- Better user experience – time is of the essence. And with a setup like this, new users won’t require pre-configured accounts, therefore allowing them a much swifter start. As one can imagine, this makes it an excellent solution in environments where device sharing is required.
- More robust security – the use of user-unique credentials helps to significantly strengthen your organization’s security when users access their devices. Not only that, but the uniqueness of these credentials makes it easier to keep track of all users’ access and activities.
- Lighten the burden on IT – most of us are aware of how taxing the manual tasks that IT staff have to undertake can be. So, this solution brings automation to the user creation process will undoubtedly be gladly welcomed by IT staff. No longer will IT pros have to go through the tedious process of manually setting up accounts for each new user.
REQUIREMENTS FOR LOCAL ACCOUNT CREATION
But, before moving ahead, you should know that there are a few requirements. Your organization needs to meet the following for you to take advantage of local account creation.
- UseSharedDeviceKeys – to enable this, you’ll need to use a shared device key that enables the device to have a trusted connection to the Entra ID, regardless of the user.
- Connectivity with the Identity Provider – your device should be able to connect to your Entra ID. Without this connection being established, authentication of user credentials won’t be possible neither will the user be able to be authorized to access the device.
- Device State – Login Window with FileVault Unlocked – the device in question should be at the login window, and you also need to ensure that the FileVault is unlocked. The importance of this state is that it establishes that the device is secure while simultaneously verifying its readiness to set up a new user account when authentication has been successfully completed.
- MDM Support for Bootstrap Tokens – ensure that Bootstrap Tokens are supported by the MDM system. These tokens are integral to the delivery of a seamless user experience within a highly secure environment. This becomes even more evident in situations that require the creation of new user accounts on macOS devices.
- User Authentication – as soon as you have met all the requirements, users can then begin the authentication process using their Entra ID username and password or a SmartCard.
- Assignment of User Permissions – the Identity Provider groups will determine the assignment of post-authentication, user permissions.
- Defining Access Levels through MDM Profiles – to ensure organizational security of the highest standard, all newly created accounts should have their access levels carefully defined. Intune profiles will play a central role during this process and are responsible for determining which users have standard user permissions, administrator privileges, or permissions based on their group membership in Entra ID.
Creating extensions that support platform SSO
Performing single sign-on with an identity provider requires the creation of an SSO extension to support PSSO and implement the required functionality. Additionally, you need to specify the grant types that the extension and IdP support. In macOS 14.0 and later, implement supportedGrantTypes() and return:
Password: password
Secure enclave key, SmartCard, and encrypted password: jwtBearer
WS-Trust: saml1_1 or saml2_0
For PSSO 2.0, there will be a new key service for SSO extensions and IdPs. This is going to allow for an alternative registration flow and additional login configuration. Before you can use it, however, there is a need to implement protocolVersion() in the extension and return ASAuthorizationProviderExtensionPlatformSSOProtocolVersion.version2_0 to indicate that the extension and the IdP server support PSSO 2.0. To complete this section, you need to enable a ticket-granting ticket with Kerberos SSO extension, as well as use diagnostics to iterate on the configuration during development.
REGISTRATION OF USERS AND DEVICES
After creating an SSO extension, there are a few steps to follow to register devices and users with an identity provider, and it’s the PSSO that calls the extension to perform these steps. The extension will first register a device before registering users on that same device. Your SSO extension needs to implement the ASAuthorizationProviderExtensionRegistrationHandler protocol to support registration.
- Device registration
The SSO extension will use the following to register a device:
beginDeviceRegistration(loginManager:options:completion:)
Furthermore, the extension will need to:
- Register the device with its associated IdP.
- Provide the login configuration to Platform SSO.
- Execute the completion handler.
- User registration
Successful device registration completes with the following result:
ASAuthorizationProviderExtensionRegistrationResult.success
Once complete, the SSO extension should then proceed with user registration through:
beginUserRegistration(loginManager:userName:method:options:completion:)
The system is designed such that all users on a device will need to use the login configuration, and this also includes when the system creates new users during login. In situations where shared keys are being used, user registration will only begin for each subsequent user on the device. Therefore, when new users are created during login, they will be prompted to start registration when they reach the desktop.
After completion of the registration process, the SSO extension is required to call the completion handler. Following this, the users need to authenticate using the new configuration, which can use platform SSO immediately.
Finally, if the extension supports the PSSO 2.0 protocol methods and the system uses password authentication, a new key will be provisioned by the key service and linked to the user account.
Microsoft introduces Platform SSO for macOS
In 2023, Microsoft announced Platform SSO for macOS. This feature is meant to be an enhancement that will give users of macOS devices a more seamless experience with even better security. What users can expect from this is a solution that enables them to use Touch ID to unlock their device and thereby eliminate the need to enter a password.
Users will then be signed into Entra ID under the hood with a device-bound cryptographic key. Because of the use of phishing-resistant credentials, your business can save money by removing the need for security keys or other hardware.
Adding to user convenience will be the fact that after signing in, the existing Microsoft Enterprise SSO plug-in ensures that you remain signed into the apps you use for work.
However, there is an alternative for those who may not yet be ready to completely remove passwords from Entra ID sign-ins. In this scenario, Platform SSO for macOS allows you to synchronize local account passwords with Entra ID passwords so that users can use one credential across their macOS devices. Furthermore, Platform SSO for macOS will enable administrators to configure the end-user authentication method.
The admins can then set up a phishing-resistant credential or a traditional password as the authentication method. You can easily prepare your business for Platform SSO for macOS by taking the steps given below:
- Deploy the Microsoft Enterprise SSO plug-in.
- Ensure that users are registered for Microsoft Entra ID multifactor authentication, and for the best experience, Microsoft Authenticator is recommended for this process.
- Update macOS devices to macOS 13 (Ventura) or later.
Microsoft Enterprise SSO plug-in for Apple devices
Using the Microsoft Enterprise SSO plug-in for Apple devices, clients will get single sign-on for Microsoft Entra accounts on macOS, iOS, and iPadOS. And they can do so across all applications that support Apple’s enterprise single sign-on feature. Probably the biggest advantage of this plug-in is that it enables SSO for older applications that are integral to your business operations but don’t have support for the latest identity protocols.
To ensure that users would get the best possible experience, the final product that we get resulted from the efforts of both Microsoft and Apple working together. At the moment, you can get the Enterprise SSO plug-in as a built-in feature of Microsoft Authenticator (iPadOS, iOS) and Microsoft Intune Company Portal (macOS).
WHAT FEATURES DO YOU GET?
The Microsoft Enterprise SSO plug-in for Apple devices comes with several attractive features, including:
- Single sign-on for Microsoft Entra accounts for all apps that support the Apple Enterprise SSO feature
- Supported in both device and user enrollment, and you can use any mobile device management service of your choice to enable it.
- Available for applications that don’t yet use the Microsoft Authentication Library (MSAL).
- Also offers SSO to apps that use OAuth 2, OpenID Connect, and SAML.
- End-users can be assured of a smooth experience when the Microsoft Enterprise SSO plug-in is enabled because of how it is integrated with the MSAL.
REQUIREMENTS
Device Requirements | iOS Requirements | macOS Requirements |
The device must support and have an installed app that has the Microsoft Enterprise SSO plug-in for Apple devices: iOS 13.0 and later: Microsoft Authenticator appiPadOS 13.0 and later: Microsoft Authenticator appmacOS 10.15 and later: Intune Company Portal app Devices should be enrolled in MDM. Because Apple requires this security measure, configuration needs to be pushed to the device to enable the Enterprise SSO plug-in | Devices need to have iOS 13.0 or higher. Devices will also require a Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple. The app in question is the Microsoft Authenticator app. | Devices need to have macOS 10.15 or higher. Devices will also require a Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple. The app in question is the Intune Company Portal app. |
HOW DOES THE SSO PLUG-IN WORK?
As mentioned before, this plug-in came about because of the efforts of both Microsoft and Apple. So, it’s not too surprising that the plug-in is reliant on the Apple Enterprise SSO framework. Once an identity provider has joined this framework, it can intercept network traffic for its domain as well as modify how those requests are managed. Native applications will also be able to implement custom operations and communicate directly with the SSO plug-in.
Wrap up
The integration of products and services from different tech companies can provide countless benefits for customers. End-user experiences will improve, businesses will get better value for their investment, and tech companies can ensure that their customers get the best possible solutions.
This is why Microsoft Intune has been working with Apple to improve the user experience for Apple device users. Intune wants to be able to offer organizations excellent device management solutions across all devices regardless of preferences.
So, whether you want to use Windows devices or Apple devices, you should be getting great device management options. We all know about Apple Identity Services and how those protocols have given Apple devices the high-level security they have.
Therefore, the fact that Intune measures can co-exist with Apple Identity Services can only be a good thing for customers because this will ultimately strengthen overall security even further, as well as provide a better user experience.
Pingback: Intune Newsletter - 17th May 2024 - Andrew Taylor