Install Company Portal and Deploy Platform SSO Custom Payload on macOS
Install the Company Portal and deploy the Platform SSO payload on macOS devices to register them with Microsoft Entra ID and enforce Conditional Access policies by following the steps below.
Installation of Company Portal
To install Company Portal on macOS devices, follow these steps:
Ensure that the device is enrolled in the SureMDM Console.
Push a SureMDM Profile containing the Company Portal under the Application Policy section to the macOS device.
- Alternatively, the Company Portal app can be installed manually from this link
Click here to learn more about pushing a macOS App Store app to the device.
Deploy Platform SSO Custom Payload
To deploy the Platform SSO custom payload on macOS devices, follow these steps:
Navigate to Jobs > New Job > macOS > Push Custom Payload.
Import the script file or copy and paste the below script content.
Save the job.
Deploy the saved job to the target macOS devices.
Once the deployment is successful, the target macOS device will prompt the user to sign in with their Entra credentials.
After successful authentication, the device will be registered with Microsoft Entra ID and will automatically adhere to Conditional Access policies.
Note: In order to adhere with Conditional Access policies, Platform SSO should have to be enabled. As a result, the user’s password on the target macOS device will be updated to match their Entra ID password.
Tip: The following is a basic script example. You can refer to this Microsoft documentation for details on configuring Platform SSO. Alternatively, you can use iMazing Profile Editor to create a Platform SSO payload script with your desired configuration.
Platform SSO - Custom Payload Script
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>ExtensionIdentifier</key>
<string>com.microsoft.CompanyPortalMac.ssoextension</string>
<key>PayloadDisplayName</key>
<string>Extensible Single Sign-On Payload</string>
<key>PayloadIdentifier</key>
<string>com.apple.extensiblesso.B408A658-3DAF-41FF-8A5D-AE77B380CB7B</string>
<key>PayloadType</key>
<string>com.apple.extensiblesso</string>
<key>PayloadUUID</key>
<string>D506CAFD-C802-41F2-9C3E-DF5289C315FF</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PlatformSSO</key>
<dict>
<key>AccountDisplayName</key>
<string>EntraID</string>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>EnableCreateUserAtLogin</key>
<true/>
<key>LoginFrequency</key>
<integer>3700</integer>
<key>LoginPolicy</key>
<array>
<string>AttemptAuthentication</string>
</array>
<key>NewUserAuthorizationMode</key>
<string>Admin</string>
<key>UseSharedDeviceKeys</key>
<true/>
<key>UserAuthorizationMode</key>
<string>Admin</string>
</dict>
<key>ScreenLockedBehavior</key>
<string>DoNotHandle</string>
<key>TeamIdentifier</key>
<string>UBF8T346G9</string>
<key>Type</key>
<string>Redirect</string>
<key>URLs</key>
<array>
<string>https://login.microsoftonline.com</string>
<string>https://sts.windows.net</string>
<string>https://login.partner.microsoftonline.cn</string>
<string>https://login.chinacloudapi.cn</string>
<string>https://login.microsoftonline.us</string>
<string>https://login.microsoft.com</string>
<string>https://login-us.microsoftonline.com</string>
</array>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Platform SSO</string>
<key>PayloadIdentifier</key>
<string>42GBHOLAP04621.1BD5B6D9-640B-4DC3-9275-56DDD191A5FB</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>58548FC6-38D9-4B28-9EDF-BEEAB03BAB23</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>