Create and Deploy Extensible Single Sign-On (ESSO) Payload (macOS)
About this task
To establish Conditional Access on macOS devices, you must first create and deploy the Extensible Single Sign-On (ESSO) payload as a Custom Profile configuration under the macOS Device section of Profiles. This configuration is mandatory for launching the SSO extension of the Company Portal app that enables user authentication on Azure for macOS devices.
Procedure
- Create a macOS Device profile as described in Creating a Profile.
- Click the Configurations tab, then add a new Profile Configuration.
- Click Custom Profiles in the Other section.
-
Add the following custom Plist to the Plist text box.
This will be deployed to the device where Azure device registration is
required.
Note: Where GeneratedGUID appears in the Plist xml, provide different,unique generated GUIDs from https://www.guidgen.com/
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList- 1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadType</key> <string>com.apple.extensiblesso</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadIdentifier</key> <string>net.soti.ExtensibleSingleSignOn.GeneratedGUID</string> <key>PayloadUUID</key> <string>GeneratedGUID</string> <key>PayloadDisplayName</key> <string>ExtensibleSingleSignOn Usage</string> <key>PayloadDescription</key> <string>ExtensibleSingleSignOn Configuration</string> <key>PayloadOrganization</key> <string>SOTI MobiControl</string> <key>ExtensionIdentifier</key> <string>com.microsoft.CompanyPortalMac.ssoextension</string> <key>Type</key> <string>Redirect</string> <key>URLs</key> <array> <string>https://login.microsoftonline.com</string> <string>https://login.microsoft.com</string> <string>https://sts.windows.net</string> <string>https://login.partner.microsoftonline.cn</string> <string>https://login.chinacloudapi.cn</string> <string>https://login.microsoftonline.de</string> <string>https://login.microsoftonline.us</string> <string>https://login.usgovcloudapi.net</string> <string>https://login-us.microsoftonline.com</string> </array> <key>TeamIdentifier</key> <string>UBF8T346G9</string> <key> Enable_SSO_On_All_ManagedApps</key> <integer>1</integer> <key>browser_sso_interaction_enabled</key> <integer>1</integer> <key>disable_explicit_app_prompt</key> <integer>1</integer> <key>AppAllowList</key> <string>com.microsoft.CompanyPortalMac</string> </dict> </array> </dict> </plist> - Click Save, then click Save And Assign and assign the profile to the necessary macOS devices.