Configure device configuration profiles for PSSO using Workspace ONE

Desktop Password Sync for macOS uses Apple's Platform Single Sign-on (Platform SSO) feature to sync a user's local macOS account password with their Okta password.

This guide details how to configure and deploy Desktop Password Sync for macOS devices managed by Omnissa Workspace ONE.

Before you begin

Add and configure the Platform SSO app.
Confirm that you have configured and deployed Device Access certificates to your macOS devices.
User devices must be running macOS 15 Sequoia or later.
Download the Okta Verify PKG file from the Okta Admin Console. See Download Okta Verify for macOS.
Verify profile deployment
You must have access to a licensed Workspace ONE environment.

Start this task

This process involves creating a comprehensive device profile in the Workspace ONE console with three key payloads: Associated Domains, Single Sign-On Extensions, and Custom Settings.

Create the device profile
Configure the associated domains payload
Configure the Single Sign-On (SSO) extension payload
Configure the custom settings payload
Assign the profile
Verify profile deployment

Create the device profile

In your Workspace ONE console, go to ResourcesProfiles.
Click AddAdd Profile.
Select macOS as the Profile Platform.
On the macOS page, select the following:
- Management Type: Imperative
- Context: Device
Enter a descriptive name for the profile, such as Okta Platform SSO.

Configure the associated domains payload

In the new profile, find and add an Associated Domains payload.

In the App Bundle ID field, add the following entries:

App Identifier	Domain
B7F62B65BN.com.okta.mobile	authsrv:{customerorg}.okta.com
B7F62B65BN.com.okta.mobile.auth-service-extension	authsrv:{customerorg}.okta.com

Replace {customerorg} with your Okta org's URL in the Domain setting.

Configure the Single Sign-On (SSO) extension payload

Find and add the SSO Extension payload to your profile.

Configure the following options:

Setting	Value
Extension Identifier	com.okta.mobile.auth-service-extension This is the identifier for the Okta extension.
Extension Type	Redirect
Team Identifier	B7F62B65BN
URLs	Add the URLs for your Okta org, including the paths: /device-access/api/v1/nonce /oauth2/v1/token /v1/auth/device-sign For example: https://customerorg.okta.com/device-access/api/v1/nonce https://customerorg.okta.com/oauth2/v1/token https://customerorg.okta.com/v1/auth/device-sign
Authentication Method	Password
Registration Token	This setting must be present, but you can enter any value in the field, as the created SCEP profile overrides this value.
Platform SSO	Set this toggle to enabled.
Use Shared Device Keys	Enabled This option is only needed for Just-In-Time Local Account Creation.
Account Display Name	A display name for your account, for example Okta Platform SSO. This value is used in notifications and authentication requests for the account. This is set at a system level and not at a user-specific level.

If you plan to Configure device management profiles for Just-In-Time Local Account Creation, add the following SSO extension settings.

Setting	Value
Create User at Login	Enabled
User MappingFull Name	macOSAccountFullName
User MappingAccount Name	macOSAccountUsername
Account Authorization mode	Standard or Admin
New user authorization mode	Standard or Admin

Configure the custom settings payload

Find and add the Custom Settings payload. Create the following custom configurations as two separate settings.

Replace the string values for the following keys:

PayloadUUID: These are separate UUIDs for each Custom Settings profile. You can generate these using the uuidgen command on any macOS device.
OktaVerify.OrgUrl: The URL of your Okta org.
OktaVerify.PasswordSyncClientID: The specific client ID for your Okta instance, for example, 0oae1su23owTpNqGn456.

Copy

Custom Settings 1

<dict>
    <key>PayloadIdentifier</key>
    <string>com.okta.mobile.[UUID]</string>
    <key>PayloadUUID</key>
    <string>[UUID]</string>
    <key>PayloadOrganization</key>
    <string>Okta</string>
    <key>PayloadType</key>
    <string>com.okta.mobile</string>
    <key>OktaVerify.OrgUrl</key>
    <string>[Okta_Org_URL]</string>
    <key>OktaVerify.UserPrincipalName</key>
    <string>{EmailAddress}</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadDisplayName</key>
    <string>Okta Mobile Payload</string>
    <key>PayloadDescription</key>
    <string>Okta Mobile Payload</string>
</dict>

Copy

Custom Settings 2

<dict>
    <key>PayloadIdentifier</key>
    <string>com.okta.mobile.auth-service-extension.[UUID]</string>
    <key>PayloadUUID</key>
    <string>[UUID]</string>
    <key>PayloadOrganization</key>
    <string>Okta</string>
    <key>PayloadType</key>
    <string>com.okta.mobile.auth-service-extension</string>
    <key>OktaVerify.OrgUrl</key>
    <string>[Okta_Org_URL]</string>
    <key>OktaVerify.PasswordSyncClientID</key>
    <string>[Password_Sync_Client_ID]</string>
    <key>PlatformSSO.ProtocolVersion</key>
    <string>2.0</string>
    <key>OktaVerify.UserPrincipalName</key>
    <string>{EmailAddress}</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadDisplayName</key>
    <string>Okta Mobile Auth Service Extension</string>
    <key>PayloadDescription</key>
    <string>Okta Mobile Auth Service Extension Payload</string>
</dict>

Assign the profile

Click in the Smart Group field. From the list of Assignment Groups that appear, select the appropriate group. For example, select All Corporate macOS Devices.
Select Auto for the Assignment Type.
Click Save and Publish.
You should now see the Okta Platform SSO device profile in the Profiles list.

Verify profile deployment

On the user macOS device, open the System Settings app.
Go to Device ManagementProfiles.
Confirm that you see device management profiles for each of your preference domains.

Next step

Support your macOS users