Table of contents
Identity at work and school
As a Customer Success Manager at Jamf, one of the most valuable conversation points I have with my customers is to remind them of the “why” behind their technology decisions. At Jamf, we believe in purposeful deployments and consider the ultimate outcome of what we want to achieve. For educational organizations, this is student success; for commercial organizations, this is productive and empowered workers.
Organizations often choose Apple devices for their simplicity and ease of use, and my role is to extend that experience. In my Customer Success role, I work with IT teams to design workflows with the Jamf platform that keep the user experience intuitive, while giving administrators the management and security tools they need to protect sensitive resources.
Identity sits right at the center of this balance. In conversations about identity, the “why” usually comes down to two core goals:
-
Ensuring organizational resources are only accessed by trusted users on compliant devices; and
-
Delivering a streamlined, frictionless login experience for end users on their Macs
So, in the discussion of “why” in identity, the question becomes: how do we make authentication effortless for users while empowering IT admins to achieve these goals?
What is Platform Single Sign-on?
Before diving into Platform Single Sign-on (PSSO), it helps to understand its foundation: the Single Sign-On extension (SSOe) that Apple previously made available to developers and identity providers (IdP). It’s a framework that redirects the request to authenticate to a website, app or service that is gated by a cloud Identity Provider (IdP).
The SSOe configuration profile payload tells the Apple device to redirect this request to the SSOe app locally installed on the device when a user logs into a service with a SAML, OAuth 2.0 or OpenID Connect 2.0 authentication method. These extensions allow users to authenticate once with their organization’s IdP (for example, Okta or Microsoft Entra ID) and then use that same session across multiple apps and websites without constantly re-entering their credentials.
Platform SSO takes this idea a step further. Instead of being limited to apps and websites, it integrates identity directly into the macOS login window. Platform SSO is not limited to apps and websites but integrates a user’s cloud identity directly with their local user account. Once a user is registered, their local user password can either synchronize with the IdP user, or the framework can leverage a protected Secure Enclave-backed key as a form of phishing-resistant authentication. After that initial provisioning event, additional users can sign in at the macOS login window with their IdP username and password to create a just-in-time user account linked to their identity.
I often explain it to customers like this: SSOe opened the door to single sign-on within apps. Platform SSO builds on that foundation to deliver an Apple-built framework that brings the same seamless experience to the entire Mac platform — starting right at login.
What’s new in Platform SSO with macOS 26?
Simplified Setup for Platform SSO
With the release of macOS Tahoe 26, Apple has made a major evolution of Platform SSO with a new feature called Simplified Setup for Platform SSO. Before Simplified Setup, PSSO could only be set up and configured after a user successfully created a local account on their Mac.
This is one of the big changes in macOS 26 and PSSO: by integrating PSSO into the Setup Assistant, users can authenticate with their organization’s identity provider (IdP) — like Microsoft Entra ID or Okta — and the PSSO framework, to create the first user account during Setup Assistant.
The workflow looks like this:
-
A computer is kept in Setup Assistant until a specified Platform SSO app (from the IdP) and its configuration profiles (e.g., device management settings) have completed their installation.
-
Once complete, macOS will begin a required Platform SSO registration and setup process.
-
After registration, the first user can be created during Setup Assistant, based on the identity of the user that authenticated with the IdP. This user account is also registered with Platform SSO frameworks on macOS for continued benefits to user experience and security.
While multiple IdPs support Platform SSO, as of this blog’s publication, only Okta supports for the new Simplified Setup for Platform SSO
Authenticated Guest Mode
Another major enhancement is Authenticated Guest Mode. Authenticated Guest Mode allows for temporary users to be created after IdP auth. These accounts allow simplified SSO extension authentication when logged in and self-delete the account after logging out. This means organizations can help multiple users who work on the same Mac, like healthcare organizations helping nurses, technicians or other staff to more easily sign in to shared Mac in an exam room or common area. Here is the workflow for Authenticated Guest Mode:
-
A user can log in to any shared Mac using their work credentials at the login window. Login requires the device to be able to reach the IdP.
-
When they log in, macOS uses single sign-on to access apps and websites.
-
When they log out, macOS erases local data for the account, and the shared Mac is ready for the next user to log in.
Along with Authenticated Guest Mode is the ability to use NFC-based Access Keys (stored in Apple Wallet on iPhone) to “tap to login” on a Mac with IdP credentials. This workflow can be paired with Authenticated Guest Mode for temporary users on a Mac.
These enhancements streamline setup and enhance security: authentication is not just based on the user and IdP, but also the Mac itself. Identity is now part of the out-of-box Mac experience via MDM, Automated Device Enrollment and an IdP. Platform SSO brings the Mac deployment experience closer to a true “zero-touch” workflow. It’s seamless, secure and OS-native.
Customer FAQs on Platform SSO
So, what are the full requirements to implement Simplified Setup and Authenticated Guest Mode for Platform SSO?
Platform SSO is a partnership between Apple, device management solutions and identity providers. To fully implement this workflow, you will need:
Note: As of this writing, only Okta has a Platform SSO application that supports Simplified Setup for PSSO. Please make sure to look at your IdP’s release notes to learn more.
This workflow sounds like something Jamf already has. What’s the difference?
One of the capabilities in Jamf for Mac and Jamf for K-12 is being able to provision a new user account during Setup Assistant. For a long time, it was the best way for customers to provision new user accounts, sync the local account and IdP password, and create a streamlined login experience.
But as Apple continues to innovate, so does Jamf. With the release of macOS Tahoe 26, Jamf officially supports Simplified Setup for PSSO and we are excited for the future of user identity on Mac.
However, Jamf’s authentication capabilities allow for two pertinent needs for the IT admins I work with that Platform SSO does not: offline multi-factor authentication (MFA) and privilege elevation.
Offline MFA allows users to access their computer with a time-based one-time password from an authentication app without a connection to an identity provider. This means users can access their computer without an active internet connection.
Privilege elevation provides a simple way to manage standard and admin rights on my customers’ Mac devices. In addition to managing those rights, privilege elevation allows a user to request administrative rights to their Mac. The standard user then receives this right for a set period of time (as low as one minute) as configured by Jamf admins before returning to a standard user.
Here is a full breakdown of features:
How can Jamf customers implement Simplified Setup for PSSO?
There is a step-by-step breakdown of the workflow in our technical documents.
For Jamf admins, when you are creating a new computer PreStage enrollment or editing an existing one, select the General payload, scroll down to Setup Assistant, and then check the Enable Simplified Setup for Platform Single Sign-on button. A new field appears to enter your Platform Single Sign-on App Bundle ID. See the workflow below at the 28-second mark in our release notes video:
Which identity providers will support zero-touch setup with Platform SSO?
Full workflow functionality requires compatible implementation from supported identity providers (such as Okta and Microsoft Entra ID). See your IdP’s documentation for their Platform SSO feature capabilities and proper configuration settings with MDM, as well as compatibility with this workflow in macOS 26. Once we learn about current IdP support, we will let our customers know that they can implement this workflow.
How does Jamf for Mac’s Zero Trust Network Access fit in?
Jamf’s platform, including built-in Zero Trust Network Access (ZTNA)*, leverages your IdP to upgrade organizational security by:
-
Frequently checking device health
-
Assessing app vulnerability status
-
Securing network communications
-
Mitigating risky user behaviors
-
Establishing microtunnels to securely access resources
-
Denying access to devices/users found to be compromised
-
Maintaining optimal productivity by blocking access to only affected resources
-
Automatically executing workflows to remediate devices
*ZTNA is not available for Jamf for K-12 customers.
Once a computer has been registered with PSSO, do IdP logins use web views or allow for multi-factor authentication (MFA)?
No. The only place an IdP can force MFA is during a web view registration, not at the FileVault login, the login window or the unlock screens.
