Configure device configuration profiles for PSSO using Jamf Pro

Desktop Password Sync for macOS uses Apple's Platform Single Sign-on (Platform SSO) feature to sync a user's local macOS account password with their Okta password.

This guide details how to configure and deploy Desktop Password Sync for macOS devices managed by Jamf Pro.

Before you begin

Add and configure the Platform SSO app.
Confirm that you have configured and deployed Device Access certificates to your macOS devices.
User devices must be running macOS 14 Sonoma or later.
Download the Okta Verify PKG file from the Okta Admin Console. See Download Okta Verify for macOS.
You must have access to a licensed Jamf Pro environment.

Start this task

To set up the device configuration profiles for Platform Single Sign-on (Platform SSO) using Jamf Pro, perform the following tasks in order:

Configure the Single Sign-On (SSO) profile
Configure associated domains
Configure the SSO extension
Create Okta account mappings
Create a PreStage enrollment for Simplified Setup
Deploy Okta Verify

Configure the Single Sign-On (SSO) profile

In Jamf Pro, select ComputersConfiguration Policies in the side bar.
Click New.
On the New macOS Configuration Profile pane, select the Options pane.
In the General section, give the profile a name, for example, Okta Platform SSO.

You can also enter any other information on this page that's specific to your environment, for example, a description, site, or category. These fields don't impact the PSSO configuration for Okta.
Set the Level to Computer Level.
From the Options side bar, click Application & Custom SettingsUpload.
Click Add four times. This creates four custom payload entries.

Configure a preference domain payload for each of the entries in the following table.

Replace customerorg.okta.com and clientID with the URL and client ID of your Okta org, respectively.

Preference Domain	Property List
com.okta.mobile	Copy `<plist version="1.0"> <dict> <key>OktaVerify.OrgUrl</key> <string>https://customerorg.okta.com</string> <key>OktaVerify.UserPrincipalName</key> <string>$USERNAME</string> <key>PlatformSSO.ProtocolVersion</key> <string>2.0</string> </dict> </plist>`
com.okta.mobile.auth-service-extension	Copy `<plist version="1.0"> <dict> <key>OktaVerify.OrgUrl</key> <string>https://customerorg.okta.com</string> <key>OktaVerify.UserPrincipalName</key> <string>$USERNAME</string> <key>OktaVerify.PasswordSyncClientID</key> <string>client ID</string> <key>PlatformSSO.ProtocolVersion</key> <string>2.0</string> </dict> </plist>`
com.okta.deviceaccess.servicedaemon Optional. Use this if you plan to enable Device-Bound Single Sign-On.	Copy `<plist version="1.0"> <dict> <key>OktaJoinEnabled</key> <true/> </dict> </plist>`
com.apple.preference.security Optional. Use this if you want to prevent users from changing their local account password.	Copy `<plist version="1.0"> <dict> <key>dontAllowPasswordResetUI</key> <true/> </dict> </plist>`

Click Save.

Configure associated domains

In Jamf Pro, click Edit on the configuration profile that you created in the initial step.
From the Options side bar, click Associated Domains.
On the Associated Domains page, click Configure,
Select App ManagementAssociated Domains.
Click Add.
Enter the following for the instance:
- App Identifier: B7F62B65BN.com.okta.mobile
- Associated Domain: Enter authsrv: followed by the URL of your Okta org. For example, authsrv:customerorg.okta.com
- Ensure that the Enable Direct Downloads checkbox isn't selected.
- Click Save.
Click Add to create another domain entry.
Add in the other associated domain:
- App Identifier: B7F62B65BN.com.okta.mobile.auth-service-extension
- Associated Domain: Enter authsrv: followed by the URL of your Okta org. For example, authsrv:customerorg.okta.com
- Ensure that the Enable Direct Downloads checkbox isn't selected.
- Click Save.
Click Save.

Configure the SSO extension

In Jamf Pro, click Edit on the configuration profile that you created in the initial step.
From the Options side bar, click Single Sign-on Extensions.
On the Single Sign-on Extensions page, click Add.

Configure the SSO extension according to the following table. Replace customerorg.okta.com with the URL of your Okta org.

Setting	Value
Payload Type	SSO
Extension Identifier	com.okta.mobile.auth-service-extension
Team Identifier	B7F62B65BN
Sign-on Type	Redirect
URLs	Click Add twice so that you have three text fields for the URLs setting. https://customerorg.okta.com/oauth2/v1/token https://customerorg.okta.com/device-access/api/v1/nonce https://customerorg.okta.com/v1/auth/device-sign
Use Platform SSO	Include
Authentication Method	Password
Registration Token	This setting must be present, but you can enter any value in the field, as the created SCEP profile overrides this value.
Use Shared Device Keys	Enable
Account Display Name	This value is used in the notifications that macOS sends during the registration process. Use a value that makes it clear to users what credentials are required, for example, Atko Okta credentials.

If you plan to Configure device management profiles for Just-In-Time Local Account Creation, add the following SSO extension settings.

Setting	Value
Create New User at Login	Enable
User MappingFull Name	macOSAccountFullName
User MappingAccount Name	macOSAccountUsername
Account Authorization Type	Standard or Admin
New User Account Type	Standard or Admin

Apple introduced the Simplified Setup for Platform SSO feature in macOS 26 Tahoe. If you plan to use the Simplified Setup for Platform SSO feature, add the following SSO extension settings.

Setting	Value
Enable registration during setup	Enable
Create first user during Setup	Enable
New user creation authentication method	Password

See Create a PreStage enrollment for Simplified Setup

Click the Scope tab. Assign the configuration profile to the target devices or users.
Click Save.
Distribute the profile as needed when Jamf Pro prompts you.

Create Okta account mappings

This task is necessary only if you want to configure Just-In-Time Local Account Creation or use the Simplified Setup feature for Platform SSO.

By default, the Okta username is used as the macOS username. Similarly, the combined Okta First name + Family name value is used for the macOS user display name.

However, if your org uses a different format for the macOS account name and display name, you need to create custom attributes for these mappings.

To override the default values, use the Profile Editor to add and map custom attributes for the app.

If you haven't already, add the Platform Single Sign-on for macOS app through the Admin Console. See Add and configure the Platform SSO app.
In the Admin Console, go to DirectoryProfile Editor.
Search for and open the Platform Single Sign-on for macOS app.
Click Add Attribute.
Add a string attribute for use as the macOS username:
1. Set the Display name and Variable Name fields to macOSAccountUsername.
2. Enable the Yes checkbox for the Attribute required field.
3. Click Save and Add Another.
Add another string attribute called macOSAccountFullName. Okta uses this attribute as the macOS display name.
Click Save.
Click Mappings and then Configure User mappings.
In the User Profile Mappings dialog, select the Okta User to Platform Single Sign-on for macOS tab.
Enter the following attribute mappings:
- user.login: macOSAccountUsername
- user.displayName: macOSAccountFullName
Click Save Mappings.

If you need to modify these fields any further, you can choose a different Okta attribute or add an expression to the fields using Okta Expression Language. See Add custom attributes to apps, directories, and identity providers and Map Okta attributes to app attributes in the Profile Editor.

Create a PreStage enrollment for Simplified Setup

Optionally, you can create a Jamf Pro PreStage enrollment for the Simplified Setup for Platform SSO feature. This reduces the number of setup screens shown to a user during device activation.

In Jamf Pro, select ComputersPreStage Enrollments in the side bar.
Click New to create a PreStage Enrollment.
In the General and Enrollment Requirements sections, set any options specific to your company. See Automated Device Enrollment for Computers.
To enable Platform SSO during the Apple Setup Assistant, select the Enable Simplified Setup for Platform Single Sign-on (macOS 26 or later) option.
Change the Minimum required macOS version to Specific version.
Set the Minimum macOS version to enforce to the earliest available version of macOS 26 Tahoe.
Set the Platform Single Sign-on App Bundle ID to com.okta.mobile.
Select Configuration Profiles in the side bar and click Configure.
Select your PSSO profile and your SCEP profile.
Select Enrollment Packages in the side bar and click Configure to add an enrollment package to the PreStage enrollment.
Click Add to include your Okta Verify installer. The Okta Verify app must be version 9.52 or later.
Adjust any other settings as desired for the PreStage enrollment and click Save.

Deploy Okta Verify

The final step is to deploy the Okta Verify app to your enrolled macOS devices.

Jamf Pro offers various installation options for macOS packages. The following is the recommended option using the Jamf Pro Mac App feature.

In Jamf Pro, select ComputersMac apps in the side bar.
Click New.
In the App Source page, select the Jamf App Catalog option.

This step is important, as the Apple App Store version of Okta Verify doesn't support Okta Device Access features.
Click Next.
Search for Okta Verify in the search field of the Select App Installers software title page.
Click Add beside the latest version of Okta Verify.
Use the Configuration settings, Self Service, and End user experience tabs to configure any settings to your deployment plan.
After you complete the preceding steps, toggle the Deploy switch to enable the deployment option.
Click Save.

Next step

Support your macOS users