Configure an SSO extension for managed macOS devices
On managed devices, the most secure and seamless way to authenticate on Safari and in-app browsers is with Apple's SSO extension. The SSO extension hides the Open Okta Verify browser prompt, and introduces phishing resistance properties to the authentication flow.
SSO extension isn't supported on Chrome or Firefox. These browsers communicate with Okta Verify using a local web server, and don't require an SSO extension to hide the Open Okta Verify prompt or enable phishing resistance.
Before you begin
Verify that the following conditions are met:
- The device is managed.
- The device is on a supported operating system. See Supported platforms, browsers, and operating systems for additional information.
- Okta is configured as a Certificate Authority with a dynamic SCEP challenge. See Configure Okta as a CA with dynamic SCEP challenge for macOS using Jamf Pro
- You're familiar with these resources:
If you're using different MDM software, see Extensible Single Sign-On MDM payload settings for Apple devices. Use the configuration values that are provided in this procedure.
- In Jamf Pro, go to .
- Click + New.
- Click the Options tab.
- Scroll down, and then click Single Sign-On Extensions.
- Click +Add.
- On the Single Sign-on Extensions page, enter the following information:
- Extension Identifier: Enter com.okta.mobile.auth-service-extension.
- Team Identifier: Enter B7F62B65BN.
- Sign-On Type: Select Credential.
- Realm: Enter Okta Device.
- Hosts: Enter your Okta org domain. For example, acme.okta.com.
- If you implement a custom URL domain in your org, click + Add, and then enter your custom URL domain. Don't include https:// or any other protocol scheme. After you complete this step, you have two domains: acme.okta.com and id.acmecorp.biz.
If the SSO extension fails, the authentication flow falls back to the sign-in page. The SSO extension might fail in these situations:
- The SSO extension MDM profile isn't installed.
- Okta hasn't been configured as a Certificate Authority with dynamic SCEP.
- The SSO extension profile in Jamf Pro isn't configured correctly.
- A user tried to access an Okta-protected resource through Chrome (without silent access) or Firefox.
- A user tried to access an Okta-protected resource through Safari or a native app webview from an unmanaged device.
- The extension identifier isn't correct.
- The user is trying to access the resource from an org that isn't configured under Hosts.