Updates

New for PSSO in macOS Sequoia

PSSO got some new things in Sequoia.

New Policies

  • FileVaultPolicy: How to cloud login at FileVault login window.
  • LoginPolicy: How to cloud login at main login window
  • UnlockPolicy: How to cloud login at lock screen

Timing

  • AuthenticationGracePeriod
  • OfflineGracePeriod

Other

  • NonPlatformSSOAccounts
  • Some UI Changes as well.

The changes are published on the developer site.

UI Changes

Let’s talk about the UI changes first. When PSSO is set up with a config profile and an extension in an app, the user is still prompted with a local notification at first login to register the device and user account. However, there is now a new UI that shows info and progress.

There are some changes in the messages in the login window as well. If the policy requires cloud login but it is unavailable, the login window let’s you know about it.

New policies

The three new poliicies, FileVaultPolicy, LoginPolicy, and UnlockPolicy allow you to specify what is required at FileVault, Login Window and Screen unlock, respectively. Each policy has 3 options:

AttemptAuthentication, RequireAuthentication, AllowOfflineGracePeriod, AllowAuthenticationGracePeriod

UnlockPolicy has an additional option: AllowTouchIDOrWatchForUnlock

From my testing and the naming, AttemptAuthentication doesn’t require the cloud service to be successful, but if the authentication is successful, a SSO token will be retrieved. RequireAuthentication stops the authentication if the cloud login fails. AllowOfflineGracePeriod and AllowAuthenticationGracePeriod appear to be 2 different timings you can specify that allow how long between successful cloud logins.

So you can unlock FileVault, LoginWindow, or LockScreen with just the local password if you have authenticated with the Identity Provider within the specified time period.

The UnlockPolicy option AllowTouchIDOrWatchForUnlock allows touch ID or Watch to unlock the lock screen. I haven’t tested if that triggers a refresh but may.

The other new key is NonPlatformSSOAccounts. In earlier releases, all local accounts would be prompted to register. NonPlatformSSOAccounts is an array of local usernames that will not be prompted for cloud account registriation.

Also, when you perform an authentication, you get a local notification each time that lets you know your token has been refreshed.

More testing to do as the new OS beta get released, and I am doing a session at PSU MacAdmins, so if you are interested in all things PSSO, check out my PSSO page. Info on how you can set up your own PSSO server, tutorials for creating a single sign-on extension and adding your own PSSO functionality to your apps.