fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon fleetdm

Sync local macOS password with IdP

Open dherder opened this issue 1 year ago • 1 comments

Problem

Today we integrate with IdPs via the macOS setup assistant and can use the IdP nameID to populate the user shortname when creating the first end user (local) account. We need to be able to constantly sync the password between the IdP and local user account to account for password resets within the IdP.

The pain right now is that end user passwords become out of sync with the IdP (where the user maintains their password) and the local macOS account.

dherder avatar Jun 20 '24 20:06 dherder

Contributes to Jamf parity.

noahtalerman avatar Jun 20 '24 20:06 noahtalerman

@noahtalerman lets chat about this at feature fest WRT usage of platform SSO, or do something different.

dherder avatar Jul 02 '24 21:07 dherder

lets chat about this at feature fest WRT usage of platform SSO, or do something different.

Hey @dherder can you please add this to the product office hours agenda? We don't usually have time during feature fest to dive into longer discussion.

noahtalerman avatar Jul 03 '24 14:07 noahtalerman

Platform SSO deep-dive: https://twocanoes.com/psso-technical-deep-dive/

New for PSSO in macOS Sequoia: https://twocanoes.com/new-for-psso-in-macos-sequoia/

Apple docs: https://developer.apple.com/documentation/authenticationservices/platform-single-sign-on-sso

Should we start a research ticket for Platform SSO? Thanks. @lukeheath @noahtalerman

noahtalerman avatar Jul 03 '24 14:07 noahtalerman

PSSO requires an authentication provider extension (typically called a Single Sign-On Extension, or SSOE) inside a container app installed on the Mac system. A configuration profile must also be installed to the Mac system from a Mobile Device Management (MDM) service to configure PSSO. Once both of these components are installed on the Mac system, any logged in user will be prompted for device registration, then user registration. Any existing local users who have not registered will be requested to register on the next login.

nonpunctual avatar Jul 03 '24 15:07 nonpunctual

https://twocanoes.com/products/mac/xcreds/

nonpunctual avatar Aug 06 '24 16:08 nonpunctual

https://jumpcloud.com/support/google-workspace-integration-overview

nonpunctual avatar Nov 22 '24 00:11 nonpunctual

Jumping on the bandwagon here to add support for this request ( support for this: https://support.apple.com/guide/deployment/platform-sso-for-macos-dep7bbb05313 ) in MDM.

This is something which would bring FleetDM up on mine and others I have talked to's list.

justinb-dfw avatar Apr 17 '25 15:04 justinb-dfw

Heads up @noahtalerman @nonpunctual - customer-starchik asked me to remove their tag as this is not something they want or need. Thanks!

Patagonia121 avatar May 07 '25 00:05 Patagonia121

@noahtalerman this came up today on the call with customer-fourier, so I attached a Gong snippet and tagged back to your board in case there's anything else you want to add to the problem statement. I would love to get this shipped for them as it's the only thing they called out that would make the end user experience a lot more seamless. Perhaps we can eval at Feature Fest. I'll add it to the next pinned list we have in CS w/ @zayhanlon

Patagonia121 avatar May 28 '25 19:05 Patagonia121

Problem

Today we integrate with IdPs via the macOS setup assistant and can use the IdP nameID to populate the user shortname when creating the first end user (local) account. We need to be able to constantly sync the password between the IdP and local user account to account for password resets within the IdP.

The pain right now is that end user passwords become out of sync with the IdP (where the user maintains their password) and the local macOS account.

allenhouchins avatar Jun 17 '25 18:06 allenhouchins

New PSSO is super important here...

nonpunctual avatar Jun 17 '25 21:06 nonpunctual