Initial proof of concept for macOS streamlined PSSO during enrollment

[gillespi314]

Resolves #33566

Background

Apple introduced new Platform SSO functions on macOS 26 (Tahoe) to streamline the user authentication
during Setup Assistant.

https://developer.apple.com/documentation/devicemanagement/implementing-platform-sso-during-device-enrollment
https://developer.apple.com/documentation/devicemanagement/errorcodeplatformssorequired
https://developer.apple.com/documentation/devicemanagement/extensiblesinglesignon
https://support.apple.com/guide/deployment/platform-sso-for-macos-dep7bbb05313/web

Company Portal is the Microsoft application used for PSSO on Apple devices. Microsoft says Company
Portal does not include support for the newly introduced Platform SSO functions on macOS Tahoe 26.
According to Microsoft, these functions will be evaluated and incorporated into future Company
Portal releases as appropriate. No timeline is provided.

https://techcommunity.microsoft.com/blog/microsoft-entra-blog/now-generally-available-platform-sso-for-macos-with-microsoft-entra-id/4437424
https://learn.microsoft.com/en-us/intune/intune-service/configuration/platform-sso-macos
https://learn.microsoft.com/en-us/intune/intune-service/configuration/use-enterprise-sso-plug-in-macos-with-intune

Okta has similarly stated that their Okta Verify app does not currently support the new Platform SSO
functions on macOS 26.

Additionally, Jamf reported the same lack of IdP support in their blog post regarding the new Platform
SSO functions. https://www.jamf.com/blog/macos-26-platform-sso-simplified-setup/

Additional investigation

Despite the IdP vendor's statements about lack of current support, there have been isolated reports
that community members have been able to use new Platform SSO functions on macOS 26; however, the broader
community has not been able to independently confirm those isolated reports. We found no
documentation by vendors or community members that describes a working setup in any detail.

Proof of concept

Nevertheless, we endeavored to create a proof of concept implementation of the new Platform SSO
functions to see how far we could get. We were able to successfully enroll a macOS 26 device
using the new Platform SSO functions, but we were not able to complete the user authentication
portion of the flow because of the lack of IdP support.

Apple describes the steps for the Platform SSO during enrollment as follows:

1. Post a MACHINEINFO request with a PSSO indicator.
2. Detect PSSO support for the device.
3. Return the required 403 PSSO error response.
4. Fetch the ExtensibleSingleSignOn profile.
5. Return the ExtensibleSingleSignOn profile.
6. Install the ExtensibleSingleSignOn profile.
7. Fetch the package.
8. Return the package.
9. Install the package.
10. Create a web view for AuthURL.
11. Present the sign-in view to the user.
12. Return an HTTP 308 redirect response.
13. Authenticate the user.
14. Post a MACHINEINFO request with the bearer token.
15. Verify the bearer token.
16. Return the enrollment profile.
17. Enroll with the device management service.

We were able to successfully complete steps 1-11, including returning the required 403 PSSO error
with details that allow the device to configure Platform SSO and trigger an initial authentication
with the organization’s identity provider. As expected, the device requested the package manifest,
the package itself (i.e. Microsoft Company Portal app), and the ExtensibleSingleSignOn profile,
which were served by Fleet. The device successfully installed the profile and the package. The
device created a web view for the AuthURL (served by Entra) and presented the sign-in view to the user.

In the web view, we were able to successfully sign with Entra credentials. After completing the web
view sign-in, we were presented with second sign-in form. The second form was a Setup Assistant
dialog with a prompt to sign in to your organization using the Entra username and password.
Attempting to sign in to the second form using the same Entra credentials failed. We believe this is
because Entra does not fully support the apple-remotemanagement-user-login callback scheme used by
Platform SSO in the context of device enrollment.

Follow-up

Monitor IdP vendor announcements and community forums for support of the new Platform SSO functions
on macOS 26.

Investigate approaches to implement a Fleet-hosted AuthURL to support the
apple-remotemanagement-user-login callback scheme (the Apple docs are ambiguous on this part of
the flow). This might be similar to our existing approaches used for OTA enrollment or
account-driven enrollment flows.

Technical design considerations:

• We should take a look at how we handling all the different Apple MDM enrollment flows. We have
  shared endpoints with ad hoc branching logic that is getting quite complex.
• We need to adjust how we are managing DEP profile assignments to accommodate the new PSSO flow.
  • Simplified PSSO during Setup Assistant is incompatible with the configuration_web_url approach
    that we currently use for DEP enrollment with end-user auth enabled. For the new features, the
    cloudConfig profile cannot include the configuration_web_url key and must instead only use the
    url key (i.e. the same key used for DEP enrollment when end-user auth is not enabled).

Design considerations for UX for admins to configure PSSO during Setup Assistant:

• UX for admins upload/designate the required package (e.g. Microsoft Company Portal app)
  • Note that our existing software installer UX may not be the best fit here. The process
    contemplated by Apple seems to be closer to the way we handle InstallEnterpriseApplication
    requests for macOS, where Fleet generates and serves a manifest that in turn points to a
    package hosted by Fleet. We currently use this approach for fleetd base and the bootstrap
    package, but in earlier iterations (now deprecated) we also used to support it for other
    packages. Potentially the package could be hosted at a location specified by the
    admin; however, in that case, the admin would also need to generate/host the manifest too (or
    Fleet would need to download the package and generate the manifest)
• UX for admins to configure the IdP settings for PSSO in Fleet, including the AuthURL
  provided by the IdP. This will probably not be a 1:1 mapping to the existing IdP settings.
• UX for the PSSO configuration profile. There is a wide range of possible settings and we'll need
  to strike a balance between simplicity and flexibility for power users.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.59%. Comparing base (8973500) to head (3245546).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #34096      +/-   ##
==========================================
- Coverage   64.23%   57.59%   -6.65%     
==========================================
  Files        2058     1554     -504     
  Lines      206902   110621   -96281     
  Branches     6899     6899              
==========================================
- Hits       132900    63710   -69190     
+ Misses      63576    42635   -20941     
+ Partials    10426     4276    -6150     

Flag	Coverage Δ
backend	58.31% <ø> (-7.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gillespi314]

Note: I'm intentionally not committing this file to our repo for the PoC. For local development, you can download it here and add it to the expected location.