Apple Identity: Enrollment and Platform SSO

Apple @ Work is brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that fully integrates 5 different applications on a single Apple-only platform, allowing Businesses and Schools to easily and automatically deploy, manage & protect all their Apple devices. Over 32,000 organizations leverage Mosyle solutions to automate the deployment, management and security of millions of Apple devices daily. Request a FREE account today and discover how you can put your Apple fleet on auto-pilot at a price point that is hard to believe.

In the podcast I did from 2012 to 2017 with Fraser Speirs, I became very focused on identity becoming a central part of the IT management experience. This time period was during the continued transition from on-prem servers and services into SaaS becoming the default. Apple’s vision for single sign-on in the enterprise took a continued march with WWDC 2022, so let’s look at what was announced regarding SSO, IDP and Apple’s identity vision for the enterprise

About Apple @ Work: Bradley Chambers managed an enterprise IT network from 2009 to 2021. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise-grade Wi-Fi, 100s of Macs, and 100s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.


OAuth 2 support

In iOS and iPadOS 15, Apple used a simple access token authorization mechanism to allow the device management server to verify a user’s identity. In iOS and iPadOS 16, Apple is taking it to the next level by adding OAuth 2 support. OAuth 2 support will allow MDM servers to support a wider variety of identity providers who are already compatible with OAuth 2. Instead of building a custom integration, MDM providers can leverage OAuth 2 for any provider that supports it.

Enrollment Single Sign-on

Enrollment Single Sign-on is a new method for personal devices to complete an MDM enrollment and access company apps and web SaaS platforms with a single authentication. Once you download an app that’s compatible with Enrollment SSO, a user can be automatically logged in with their Managed Apple ID that’s synced to Azure AD or Google Workspace. In order to use Enrollment SSO, you’ll need:

  • An app that’s been configured to support enrollment SSO
  • MDM solution that’s been federated with an identity provider
  • Managed Apple ID created in Apple Business Manager (or Apple School Manager)
  • An MDM server that’s been configured to return information the app needs to authenticate the end-user

Enrollment Single Sign On won’t be available at launch, but will come in a later update to iOS 16.

Platform Single Sign-On

Apple identity

In macOS 13 Ventura, Platform Single Sign-On allows end-users to sign in once at the macOS login window and then also be signed in to apps and websites that are compatible with the identity provider the company uses. An example here would be signing into macOS using Okta at the login window, and then automatically be logged in to a Slack and Jira instance that uses the same IdP. Apple said that Platform SSO is the modern replacement for Active Directory binding (good riddance).

Summary on Apple’s vision for identity

Apple announced some exciting things at WWDC 2022 related to its vision for identity. These announcements are just the beginning of this process as MDM and IdP vendors will need to build in support as Apple releases this functionality later in the iOS 16 and macOS Ventura release cycles, but the vision is indeed a compelling vision for the future of identity in the workplace.

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

Leave a Comment

Your email address will not be published.