This year’s Apple Worldwide Developer Conference (WWDC) was filled with many exciting first-look announcements for upcoming software releases that promise to benefit every business, no matter its size. At the event, ‘sign-in once’ was revealed as Apple’s goal for identity across iOS and macOS devices and Apple showcased new technologies that will help make this goal a reality.
In this article, we take a deeper look at what Apple has planned in the year ahead for identity across iOS and macOS devices.
Google Workspace Support
Currently federated authentication with managed Apple IDs was only available for Microsoft Azure AD. Apple has now extended federated authentication to Google Workspaces as an Identity Provider (IdP).
This will allow users to leverage their work credentials as Managed Apple IDs for authentication to services on iOS, iPadOS, and macOS. But it’s important to remember to use Directory Sync, which Apple formerly referred to as SCIM, to create the user accounts as Managed Apple IDs automatically. This then allows you to sign in with Apple at work and school with Managed Apple IDs.
This will also work for apps that support ‘Sign in with Apple’. If you want to control where users can sign in, you can choose to allow all apps or you can add apps to an explicit allow list within Apple School Manager (ASM) or Apple Business Manager (ABM).
With the inclusion of Google Workspace Support along with Microsoft Azure AD, Apple’s reach has far extended its current capabilities.
OAuth 2.0 Support
With the release of iOS 16 and iPadOS 16, Apple will extend out to an existing authorisation mechanism OAuth 2.0. This will then allow MDM servers to support even more identity providers that are already leveraging OAuth and strengthen their security due to OAuth’s refresh token mechanism. This mechanism will allow for short-lived access tokens to be used in conjunction with a silent refresh that won’t prompt the user for credentials.
OAuth 2.0 adaptation really shines when coupled with another new feature announced at WWDC 22:
Enrolment Single Sign-On
Apple is once more building on past announcements from previous technologies like extensible SSO introduced in iOS 13 and Account-Driven User enrolment in iOS 15, combining these two technologies together to give us Enrolment Single Sign-On. This will now allow users to access their organisation’s apps and data with their personal devices faster than ever before, all with the use of a single form of authentication.
In order to take advantage of Enrolment SSO, four key components need to be in place:
- The app developer needs to update their App to support enrolment SSO.
- A MDM vendor federates MDM protocol client authentication with an IdP.
- Administrators must set up managed Apple IDs.
- Administrators need to configure the MDM server to return a URL to a JSON document in the auth response headers.
When it comes to the enrolment of SSO, the end user will:
- Need to enter their email address within Settings.
- Be prompted to download the app from the App Store – this will contain the SSO extension.
- Be required to sign-in once only for enrolment, access to apps and corporate data.
With more organisations moving towards BYOD iOS devices, rather than corporately owned devices, enrolment SSO is an opportunity to adopt iOS device leveraging corporate identities, while providing an easy to complete workflow for users to enrol.
Platform SSO for macOS
Apple is building on its SSO framework for macOS, which was first introduced at WWDC 2019 and launched with Catalina. This initial release of SSO extensions allowed identity providers to use SSO authentication for all apps and websites for their users. However, what it meant for the user was that they would have to enter their credentials twice after unlocking a device, even though in many cases all credentials were identical.
With the introduction of macOS Ventura, Apple has built out this SSO framework to become a true Platform Single Sign-On or Platform SSO. Platform SSO will enable users to sign in once at the login window, then automatically sign into apps and websites associated with the organisation’s identity provider for authentication.
The first login attempt authenticates with a local account password, which also unlocks Filevault encryption on the device, enabling the user to login when offline or when connected to captive networks. From then on, the user can use their identity provider’s password to unlock their macOS device. This process is backed by Apple’s platform security, leveraging the secure enclave to authenticate with the IdP then SSO tokens can be stored in the keychain and made available to the existing SSO extension.
While platform SSO will provide a seamless one-time login experience, it will also validate the local computer password against the identity provider. If the local computer password is out of sync with the IdP then the computer password will be adjusted accordingly.
It’s clear that Apple is pushing forward to allow organisations to truly drop the bind from Active Directory and leverage modern identities on macOS devices. It’s now in the hands of the IdPs to implement the protocols and build the necessary extensions and for device management vendors to update their extensible SSO to support the changes.
Conclusion
During Apple’s announcement for “What’s new in managing Apple devices” Apple stated their bold claim for identity is for users to ’sign-in once’ and from then on use that identity consistently across the operating systems. It’s clear from what was announced by Apple that they’re truly looking to make this happen, however, it’s next up to the IdPs and MDM vendors to have the same mind-set and adopt and take advantage of the new technologies announced at WWDC.
Although the new technologies announced are limited to their own use-cases, WWDC 2022 was a fantastic step forward towards ‘sign-in once’.
Written by: Kyle Hoare, Apple Solutions Architect, Mac Centre.
For more information or to enquire about a demo. Contact us today.
