User Profile

We don't want to enroll the device. Are there any APIs that can be used to get TGT and then save tickets into device for future use of the sites in the sso list?

In order to push profile to ios device, the device must be managed. If we don’t want to manage the device, how to do Kerberos sso? Are there any APIs that can be used to get TGT and then save tickets into device for future use of the sites in the sso list?

how can I connect Apple support team?

I created two kerberos sites in IIS and add them into below profile to verify kerberos sso. My finding is after I open site#1 in safari and sign in site by input username and password, when I open site#2 in safari, my expect is it should sign in automatically without pop up password dialog, but actually, let user input password dialog is shown again. Is my test method wrong? How can I verify kerberos SSO?<!-- Customize any area that contains curly brackets {} --><!-- Random GUIDs can be generated here http://www.guidgenerator.com/ --> <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple/DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"><dict> <key>PayloadContent</key> <array> <dict> <key>PayloadDisplayName</key> <string>SSO Settings</string> <key>PayloadType</key> <string>com.apple.sso</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>01278adf-9f52-4ec3-8ef5-ca8050bae986</string> <key>PayloadIdentifier</key> <string>com.company.sso</string> <key>Name</key> <string>company Domain</string> <key>Kerberos</key> <dict> <key>Realm</key> <string>COMPANY.COM</string> <key>URLPrefixMatches</key> <array> <string>http://site1</string> <string>http://site2/</string> </array> <key>AppIdentifierMatches</key> <array> <string>com.apple.mobilesafari</string> </array> </dict> </dict> </array> <key>PayloadOrganization</key> <string>company</string> <key>PayloadDisplayName</key> <string>Single Sign-On Profile</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>b1b13d65-06de-4550-bdb4-26763ca6d185</string> <key>PayloadIdentifier</key> <string>com.company.sso.profile</string> <key>PayloadDescription</key> <string>Enables Kerberos Authentication</string> <key>PayloadType</key> <string>Configuration</string></dict></plist>

Do you mean kerberos SSO is supported automatically by iOS without any code change in my app?From this document(https://samuelyates.wordpress.com/2013/10/11/kerberos-single-sign-on-in-ios-7/), to config SSO, I need to create a configration profile includes the user principal name (that is, the Active Directory user account) and Kerberos realm settings, as well as configuring our app and/or Safari web URLs should be allowed to use SSO. And then install the config file into the device, after that, our app should support kerbers SSO, right?

MAM means mobile application management, it doesn't require enroll device.

How about if I just want the PAC apply to my app?

The answer in the other thread is based on MDM. Is it possbile work in MAM?

For iOS.

How to do it in enterprise environment?

what does "that’s only on supervised devices" mean? if it is an enterprise environment, how to set proxy by app? how to set device level proxy?

The most important scenario is to fix enertprise user's requirement. They are managed accounts. QA1745 Making Certificates and Keys Available To Your App explains to use digital identities in our apps, we need to write code to import them. Is there a detail guideline about how to import them to non-apple-provided apps and support client certificate based authentication in our app? How to automatically know which certificate should be used for target site?