Setup experience: Use credentials from end-user IdP authentication to create first user on macOS

[ddribeiro]

• customer-pratchett: Gong snippet *Will work on a better one
  • @kc9wwh: Pratchett is requesting this for Okta.
• @noahtalerman: User requested this because they want to streamline the macOS Setup Assistant experience by auto-creating the local user account using the same credentials (username and password) entered during IdP authentication. This avoids asking the user to input their password twice and ensures better alignment with identity provider credentials. Currently, Fleet only populates the username.
  • @noahtalerman: In the interim they manually direct users to set their password again during setup, which creates friction, increases confusion, and raises support burden.
    • @noahtalerman: Would Platform SSO achieve this?
      • @allenhouchins: Not for the first time user account creation. With Platform SSO, the end user would have to type in their password more than once.
      • @marko-lisica: It will be possible to set up Platform SSO during Setup Assistant in macOS 26.
  • @noahtalerman: Eventually Fleet could capture the user’s password during IdP authentication and pass it through in the AccountConfigured MDM command, so that the account is automatically created with those credentials and skips the account creation UI, as supported by Apple.

[Sampfluger88]

Linked to Unthread ticket:

Inquiry about Fleet's custom webview during enrollment with Okta #5379

[ddribeiro]

This is related to and similar to #27933, but IMO distinct enough to be tracked in a separate request

[noahtalerman]

Gong snippet: Customer does not allow recordings

Problem

Currently, with end-user authentication during enrollment in the macOS setup assistant, Fleet can autofill the account primary name and username retrieved from the IdP. However, the password field still needs to be set by the user despite just having provided it to the IdP.

customer-numa would like Fleet to take the credentials passed to the IdP during end user authentication and use them to create the local user account on the Mac. This workflow seems to be supported by Apple in the AccountConfiguration MDM command:

If the user’s password is also available from authentication through ConfigurationURL, Setup Assistant automatically creates the primary account with that information and skips showing the user interface to view or edit these fields.

What have you tried?

I checked the code to see if the password was returned to Fleet after the end-user IdP authentication, but it doesn't seem to be. We appear to be populating the primary account name and username properties of the AccountConfigured command from the mdm_idp_accounts table in the database. The password is not stored here.

Potential solutions

Per Apple’s documentation, Fleet could take the password that is provided during the end-user IdP authentication and use it in the AccountConfigured command. This would skip local account creation and create the first account using the username and password provided during end-user authentication.

What is the expected workflow as a result of your proposal?

An IT admin would configure their team to use credentials provided during the end-user authentication to create the primary account on the computer. The end user would skip the account creation screen during the setup experience. This would ensure the local account password for the Mac is the same as the IdP password. The end user would be brought to the login screen and be able to log into their computer using the same password as their IdP account.