Microsoft Entra ID’s Platform Single Sign‑On (PSSO) can be provisioned automatically as part of macOS Automated Device Enrollment (ADE) in Intune, removing post‑setup prompts, standardising identity configuration and accelerating time‑to‑productivity for large‑scale rollouts.
Platform SSO During Automated Device Enrollment Is Generally Available for macOS
What changed
Microsoft announced that Platform Single Sign‑On (PSSO) can now be enabled as part of the Automated Device Enrollment (ADE) flow for macOS. The EnableRegistrationDuringSetup flag in Intune’s macOS enrollment profile triggers Entra ID registration and PSSO activation while the device is still in the out‑of‑box setup experience. No separate “Finish” prompt appears after the user logs in for the first time.
The change addresses two long‑standing pain points:
- IT overhead – administrators previously had to run a second step (script, policy, or manual action) to bind the device to Entra ID after ADE completed.
- User friction – end users saw an extra dialog asking them to confirm SSO registration, which could be confusing on shared or kiosk devices.
By moving the registration into the ADE pipeline, identity becomes a core attribute of the device rather than an after‑thought.
Provider comparison – how Microsoft’s approach stacks up
| Feature | Microsoft Intune + Entra ID (PSSO) | Jamf Pro + Apple Business Manager | VMware Workspace ONE + Azure AD |
|---|---|---|---|
| ADE integration | Native support; EnableRegistrationDuringSetup automates Entra ID registration during macOS DEP enrollment. |
Requires a post‑enrollment policy or script to invoke Apple SSO extensions. | Supports Azure AD Join but needs a separate “Azure AD registration” profile after DEP. |
| User experience | Zero‑prompt SSO – device is ready for Azure AD‑backed apps immediately after setup. | Users still see a “Sign in to Company Portal” step unless a custom workflow is built. | Users may need to approve an additional Azure AD join dialog. |
| Compliance reporting | Identity‑backed device trust appears in Intune compliance policies from day‑one. | Compliance data is limited to Jamf inventory; Azure AD signals are not automatically correlated. | |
| Pricing | Included with existing Intune and Entra ID licenses (E3/E5, Business Premium). | Separate Jamf Pro license plus optional Apple Business Manager fees. | Workspace ONE license plus Azure AD Premium (if required). |
| Scalability | Designed for large‑scale rollouts – one profile change propagates to all macOS devices enrolled via DEP. | Scale possible but requires additional scripting and testing per batch. | Works at scale but adds a second configuration step, increasing rollout time. |
The table shows that Microsoft’s integrated PSSO‑ADE flow eliminates the “two‑step” pattern that competitors still rely on. For organisations already invested in Intune, the incremental cost is zero, while the operational savings are measurable.
How it works – under the hood
- Device enrollment – The macOS device is enrolled through Apple Business Manager (formerly DEP) and receives an Intune enrollment profile.
- EnableRegistrationDuringSetup – When this flag is set, the Intune MDM agent invokes the Entra ID registration API before the user reaches the macOS Setup Assistant.
- Device‑to‑Entra ID bind – The device generates a key pair, registers the public key with Entra ID, and receives a device‑level token.
- Platform SSO activation – The token is stored in the macOS keychain and the Microsoft Enterprise SSO extension is enabled, allowing any Azure AD‑protected app to authenticate silently.
- Compliance check – Because the device is now identity‑aware, Intune can evaluate compliance policies that depend on Azure AD device state (e.g., “Hybrid Azure AD‑joined”).
All of these steps happen while the user is still selecting language, Wi‑Fi, and Apple ID – the experience is indistinguishable from a vanilla macOS setup.
Business impact
For IT administrators
- Predictable provisioning – One profile change guarantees that every new macOS unit is Azure AD‑joined and ready for SSO. No need to track manual post‑enrollment scripts.
- Reduced ticket volume – Support calls related to “I can’t sign in to Teams after enrollment” drop dramatically when the device is already trusted.
- Simplified compliance – Identity‑based compliance rules can be enforced from day one, helping auditors see a continuous chain of trust.
For end users
- Zero‑click access – Applications that rely on Azure AD SSO (Teams, OneDrive, SharePoint, third‑party SaaS) open without additional credential prompts.
- Faster onboarding – New hires receive a fully configured laptop in minutes rather than hours of setup and troubleshooting.
- Consistent experience across platforms – The same PSSO flow now exists on Windows, iOS and macOS, reducing training overhead.
For the organization
- Higher productivity – Studies from internal pilots show a 15‑20 % reduction in time‑to‑first‑productive‑task for macOS rollouts.
- Improved security posture – Devices are enrolled in Microsoft Entra ID at the hardware level, enabling Conditional Access policies that require a trusted device before granting access to sensitive resources.
- Cost efficiency – Eliminating a separate SSO onboarding step reduces the labor cost of large‑scale deployments by an estimated $8‑12 k per 10 k devices.
Getting started
- Configure ADE in your MDM – In Intune, create or edit a macOS enrollment profile and enable Automated Device Enrollment.
- Set up Platform SSO – Follow the Microsoft Entra ID guide to configure PSSO for macOS (client ID, redirect URI, certificate upload).
- Enable the flag – Add
EnableRegistrationDuringSetup = trueto the profile’s custom OMA‑URI settings. - Test on a pilot – Deploy a handful of devices to confirm that the Setup Assistant finishes without any SSO prompt and that Azure AD‑joined status appears in the Devices blade.
- Roll out – Once validated, apply the profile to the production ADE group.
For a step‑by‑step walkthrough, see the official documentation:
- macOS Platform single sign‑on (PSSO) overview
- Configure Platform SSO for macOS devices in Microsoft Intune
- EnableRegistrationDuringSetup setting reference
Where to go from here
- Monitor adoption – Use Intune’s Device compliance and Sign‑in logs to verify that new macOS devices are consistently Azure AD‑joined.
- Extend to other platforms – The same flag exists for iOS/iPadOS; consider a unified enrollment policy across all Apple devices.
- Integrate with Conditional Access – Enforce policies that require a trusted macOS device for privileged applications.
By embedding identity into the provisioning pipeline, organizations can finally treat device trust as a baseline requirement rather than an optional add‑on. The result is a smoother user experience, lower support costs, and a stronger security posture for any macOS fleet.
Prepared by the Microsoft Entra ID product team. For feedback, join the discussion on the Microsoft Entra community forum.
Comments
Please log in or register to join the discussion