To enable single sign-on for native macOS apps and websites with various authentication methods, configure the SSO Extension profile with the Generic extension type. You can also use the new built-in Kerberos extension on macOS 10.15 to log users into native apps and sync local user passwords with the directory. With the SSO Extension profile, users do not have to provide their user name and password to access specific URLs. This profile is applicable only to macOS 10.15 and later devices.

On macOS 10.15, the SSO Extension profile is only available in Device context. Starting from macOS 11 Big Sur, admins can create either Device or User profile configuration based on their deployment needs. The support of User profile configuration is only available on macOS 11 or later.


  1. Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple iOS, and then select User Profile or Device Profile to apply the profile only to the device's enrollment user or to the entire device.
  2. Configure the profile's General settings.
  3. Select the SSO Extension payload.
  4. Configure the profile settings.
    Setting Description
    Extension Type Select the type of the SSO extension for the application. If Generic is selected, provide the Bundle ID of the application extension that performs the SSO for the specified URLs in the Extension Identifier text box. If Kerberos is selected, provide the Active Directory Realm and Domains.
    Type Select the type of SSO, either Credential or Redirect. Use the challenge/response authentication for Credentials extension. Use OpenID Connect, OAuth, and SAML authentication for Redirect extension.
    Team Identifier Enter the Team Identifier of the application extension that performs the SSO for the specified URLs. Team Identifier is required on macOS and the value must be apple for the Kerberos extension.
    URLs Enter one or more URL prefixes of identity providers where the application extension performs SSO.

    Required for Redirect payloads. Ignored for Credential payloads. The URLs must begin with http:// or https://, the scheme, and host name are matched case-insensitively, query parameters and URL fragments are not allowed, and the URLs of all installed Extensible SSO payloads must be unique.

    Additional Settings Enter additional settings for the profile in XML code which is added to the ExtensionData node.
    Active Directory Realm The option appears only if Kerberos is selected as the Extension Type. Enter the name for the Kerberos Realm which is the realm name for Credential payloads. This value should be properly capitalized. The key is ignored for Redirect payloads. If in an Active Directory forest, this is the realm where the user logs in.
    Domains Enter the host names or the domain names which can be authenticated through the application extension. Host or domain names are matched case-insensitively, and all the host/domain names of all installed Extensible SSO payloads must be unique.
    Use Site Auto-Discovery Enable the option to make the Kerberos extension to automatically use LDAP and DNS to determine the Active Directory site name.
    Allow Automatic Login Enable the option to allow passwords to be saved to the keychain.
    Require User Touch ID or Password Enable the option to require the user to provide Touch ID, FaceID, or passcode to access the keychain entry.
    Certificate Select the certificate to push down to the device which is in the same MDM profile.
    Allowed Bundle IDs Enter a list of the application bundle IDs to allow access to the Kerberos Ticket Granting Ticket (TGT).
  5. Configure Password Settings when Kerberos is selected as the Extension type for the application.
    Setting Description
    Allow Password Change Enable or disable the option to have the password change.
    Sync Local Password Enable or disable the syncing of local password. Syncing password does not work if the user is logged in with a mobile account on macOS devices.
    Match AD Password Complexity Enable or disable the option for the passwords to meet Active Directory's password complexity.
    Password Change Message Provide the text for the password requirements to the user.
    Minimum Password Length (in characters) Enter the value for the minimum number of characters to be used for a user's password.
    Password History Count (number of passwords)

    Enter the number to specify the amount of prior passwords that cannot be reused on the domain.

    Password Minimum Age (in days) Enter the minimum number of days before the user can change their password.
    Password Expire Notification (in days) Enter the number of days before the user gets notification of their password expiry.
  6. Select Save and Publish.