Configure device configuration profiles for PSSO using Microsoft Intune

Desktop Password Sync for macOS uses Apple's Platform Single Sign-on (Platform SSO) feature to sync a user's local macOS account password with their Okta password.

This guide details how to configure and deploy Desktop Password Sync for macOS devices managed by Microsoft Intune.

Before you begin

Start this task

To set up the device configuration profiles for Platform Single Sign-on (Platform SSO) using Microsoft Intune, perform the following tasks in order:

  1. Configure the Single Sign-On (SSO) profile

  2. Configure associated domains

  3. Configure custom preference files

  4. Create the custom preference profiles

  5. Verify profile deployment

  6. Deploy Okta Verify

Configure the Single Sign-On (SSO) profile

  1. In your Microsoft Intune admin center, select Devices from the main navigation bar.

  2. Go to Manage devicesConfiguration.

  3. Click Create, then select New Policy.

  4. On the Create a profile pane, select the following options:

    • Platform: macOS

    • Profile type: Settings catalog

  5. Click Create.

  6. Give the profile a name, for example, Okta SSO Extension and Domains. Click Next.

  7. Click Add settings.

  8. Enter SSO in the Settings field and click Search.

  9. Select AuthenticationExtensible Single Sign On (SSO).

  10. Configure the following options:

    Setting

    Value

    Authentication Method

    Password

    Extension Identifier

    com.okta.mobile.auth-service-extension

    Account Display Name

    A display name for your Okta instance.

    This value is used in notifications and authentication requests for the account.

    This is set at a system level and not at a user-specific level.

    Enable Create User At Login

    Set this to Enabled.

    This option is only needed for Just-In-Time Local Account Creation.

    New User Authorization Mode

    Select either Standard or Admin.

    This option is only needed for Just-In-Time Local Account Creation.

    Token To User Mapping: Account Name

    macOSAccountUsername

    This option is only needed for Just-In-Time Local Account Creation.

    Token To User Mapping: Full Name

    macOSAccountFullName

    This option is only needed for Just-In-Time Local Account Creation.

    Use Shared Device Keys

    Enabled

    Registration Token

    This setting must be present, but you can enter any value in the field, as the created SCEP profile overrides this value.

    Team Identifier

    B7F62B65BN

    Type

    Redirect

    URLs

    Add the URLs for your Okta org, including the paths:

    • /device-access/api/v1/nonce

    • /oauth2/v1/token

    • /v1/auth/device-sign

    For example:

    • https://customerorg.okta.com/device-access/api/v1/nonce

    • https://customerorg.okta.com/oauth2/v1/token

    • https://customerorg.okta.com/v1/auth/device-sign

Configure associated domains

  1. Click Add settings to add another item to the profile you created in the previous step.

  2. Enter Associated Domains in the Settings field and click Search.

  3. Select App ManagementAssociated Domains.

  4. In the Associated DomainsConfiguration, click Edit instance.

  5. Enter the following for the instance:

    • Application Identifier: B7F62B65BN.com.okta.mobile.auth-service-extension

    • Associated Domain: Enter authsrv: followed by the URL of your Okta org. For example, authsrv:customerorg.okta.com

    • Click Save.

  6. Repeat for the other associated domain:

    • Application Identifier: B7F62B65BN.com.okta.mobile

    • Associated Domain: Enter authsrv: followed by the URL of your Okta org. For example, authsrv:customerorg.okta.com

    • Click Save.

  7. Click Next.

  8. Assign Scope tags if required and click Next.

  9. Assign the proper users or groups and click Next.

  10. Confirm all your settings on the Review + Create tab, and click Create.

Configure custom preference files

For Platform SSO to function, you need to create and deploy a preference file for each of the following preference domains:

  • com.okta.mobile

  • com.okta.mobile.auth-service-extension

  • com.okta.deviceaccess.servicedaemon: Optional. Only required for Device-Bound SSO.

  • com.apple.preference.security: Optional. Only required to block password reset.

com.okta.mobile

Create and save a text file named com.okta.mobile with the following contents.

Copy 
<key>OktaVerify.OrgUrl</key>
<string>https://customerorg.okta.com</string>
<key>OktaVerify.UserPrincipalName</key>
<string>{{mail}}</string>

Replace the following items with your specific org configuration:

  • https://customerorg.okta.com is the URL for your Okta org.

  • {{mail}} is an optional value that's populated with the Okta username when the user registers for PSSO. If you don't specify a value, users have to enter their username when they sign in.

com.okta.mobile.auth-service-extension

Create and save a text file named com.okta.mobile.auth-service-extension with the following contents:

Copy 
<key>OktaVerify.OrgUrl</key>
<string>https://customerorg.okta.com</string>
<key>OktaVerify.UserPrincipalName</key>
<string>{{mail}}</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>add-your-client-ID-here</string>
<key>PlatformSSO.ProtocolVersion</key>
<string>2.0</string>

Replace the following items with your specific org configuration:

  • https://customerorg.okta.com is the URL for your Okta org.

  • {{mail}} is an optional value that's populated with the Okta username when the user registers for PSSO. If you don't specify a value, users have to enter their username when they sign in.

  • add-your-client-ID-here is the Client ID that you copied during the Platform SSO app creation.

    You can retrieve this value from the Authentication tab of the configured Platform Single Sign-on app for macOS.

com.okta.deviceaccess.servicedaemon

Create and save a text file named com.okta.deviceaccess.servicedaemon with the following contents.

Copy 
<key>OktaJoinEnabled</key>
<true/>

This profile file is optional and is used for Device-Bound SSO. See Deploy Device-Bound SSO to user devices.

com.apple.preference.security

Create and save a text file named com.apple.preference.security with the following contents.

Copy 
<key>dontAllowPasswordResetUI</key>
<true/>

This profile disables the ability to change the local account password.

As the password is synced with Okta, users shouldn't change their password locally. To change a password, users should change their Okta password and then sync it at the lock screen of the computer.

See Apple Security Preferences documentation.

Create the custom preference profiles

  1. In your Microsoft Intune admin center, select Devices from the main navigation bar.

  2. Go to Manage devicesConfiguration.

  3. Click Create, then select New Policy.

  4. On the Create a profile pane, select the following options:

    • Platform: macOS

    • Profile type: Templates

  5. In the lower pane, select Preference file and click Create.

  6. Give the profile a name, for example, com.okta.mobile. Click Next.

  7. For each preference domain that you want to configure, enter the name of the preference domain, for example com.okta.mobile.

  8. Click the Browse folder icon and select the text file that matches that preference domain. Click Next.

  9. Assign the proper users or groups and click Next.

  10. Confirm all your settings on the Review + Create tab, and click Create.

Repeat the policy creation process for each of your preference domains.

Verify profile deployment

  1. On the macOS device, open the System Settings app.

  2. Go to Device ManagementProfiles.

  3. Confirm that you see device management profiles for each of your preference domains.

Deploy Okta Verify

Finally, deploy the Okta Verify app to your enrolled macOS devices.

  1. In the Admin Console, go to SettingsDownloads.

  2. Scroll to the Okta Verify for macOS and click Download Latest.

  3. Sign in to the Microsoft Intune admin center, and select Apps on the main navigation bar.

  4. In the Overview tab, select macOS apps from the Manage apps by platform section.

  5. Click Create.

  6. In the Select app type pane, under Other app types, select macOS app (PKG).

  7. Click Select.

  8. In the Add app pane, click Select app package file.

  9. In the App package file pane:

    1. Click the Browse button and locate the macOS PKG that you downloaded from the Okta Admin Console. Click OK.

    2. On the App information page, add the details for your app. Depending on the app that you chose, some of the values in this pane may be filled in automatically.

    3. Update the details in this table for your deployment and click Next to continue.

    4. You can optionally configure a pre-installation script and a post-install script to customize the app install. Click Next to continue.

    5. Choose the minimum operating system required to install this app, for example, macOS 15 Sequoia.

    6. You can use detection rules to choose how an app installation is detected on a managed macOS device. Click Next to continue.

    7. Select your users and groups for this app installation. Click Next to continue.

    8. Confirm all your settings on the Review + Create tab, and click Create.