In the podcast I did from 2012 to 2017 with Fraser Speirs, I became very focused on identity becoming a central part of the IT management experience. This time period was during the continued transition from on-prem servers and services into SaaS becoming the default. Apple’s vision for single sign-on in the enterprise took a continued march with WWDC 2022, so let’s look at what was announced regarding SSO, IDP and Apple’s identity vision for the enterprise
The only Apple Unified Platform, Mosyle, brings you Apple @ Work. Mosyle is the only solution that completely integrates five distinct applications on a single Apple-only platform, enabling Businesses and Schools to deploy, manage, and secure all of their Apple devices quickly and effortlessly. Mozyle solutions are used by over 32,000 organisations every day to automate the deployment, maintenance, and security of millions of Apple devices. Discover how you can put your Apple fleet on auto-pilot at a price that is hard to believe by requesting a FREE account today.
In iOS and iPadOS 15, Apple used a simple access token authorization mechanism to allow the device management server to verify a user’s identity. In iOS and iPadOS 16, Apple is taking it to the next level by adding OAuth 2 support. OAuth 2 support will allow MDM servers to support a wider variety of identity providers who are already compatible with OAuth 2. Instead of building a custom integration, MDM providers can leverage OAuth 2 for any provider that supports it.
About Apple @ Work: Bradley Chambers managed an enterprise IT network from 2009 to 2021. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise-grade Wi-Fi, 100s of Macs, and 100s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.
An app that’s been configured to support enrollment SSO
MDM solution that’s been federated with an identity provider
Managed Apple ID created in Apple Business Manager (or Apple School Manager). An MDM server that’s been configured to return information the app needs to authenticate the end-user
Enrollment Single Sign On won’t be available at launch, but will come in a later update to iOS 16.
Enrollment Single Sign-on is a new method for personal devices to complete an MDM enrollment and access company apps and web SaaS platforms with a single authentication. Once you download an app that’s compatible with Enrollment SSO, a user can be automatically logged in with their Managed Apple ID that’s synced to Azure AD or Google Workspace. In order to use Enrollment SSO, you’ll need:
In macOS 13 Ventura, Platform Single Sign-On allows end-users to sign in once at the macOS login window and then also be signed in to apps and websites that are compatible with the identity provider the company uses. An example here would be signing into macOS using Okta at the login window, and then automatically be logged in to a Slack and Jira instance that uses the same IdP. Apple said that Platform SSO is the modern replacement for Active Directory binding (good riddance).
Apple announced some exciting things at WWDC 2022 relating to its vision for identity. These announcements are just the beginning of this process as MDM and IdP vendors will need to build in support as Apple releases this functionality later in the iOS 16 and macOS Ventura release cycles, but the vision is indeed a compelling vision for the future of identity in the workplace.