ExtensibleSingleSignon

Question

MDM iOS Dev OP

Created Sep ’22

Replies 1

Boosts 0

Views 1.5k

Participants 2

Hi Community,

We are happy to see how apple is committed towards making the true Single Sign On Experience and provide Seamless user experience.

Hence We have been testing around The ExtensibleSingleSignOn profile specific payload using the Extension provided by Microsoft for Azure AD called CompanyPortal for macOS and Authenticator App for iOS respectively in both we have tried to deny the SSO flow for some native apps like Excel and Word, by specifying their bundle id's in key "DeniedBundleIdentifiers" provided in ExtensibleSingleSignOn profile. Even though we specify, these Apps seems to go with SSO flow and have not prompted for any credentials.

May I know what is the behaviour of the key "DeniedBundleIdentifiers" and why in this case didn't block the SSO flow?

And also to have some Knowledge on it. Is it the responsibility of the Extensions to block the Redirection from these Apps or the responsibility of Apple?

Boost

Answer 1

Device Management Engineer OP

Apple

Sep ’22

DeniedBundleIdentifiers should prevent an app from triggering extensible SSO.

It's plausible that the Microsoft apps are using a shared container to share account information between its apps, giving the impression that extensible SSO is signing in an app despite DeniedBundleIdentifiers value.

I suggest filing feedback with Apple. First install the "Enterprise SSO and Kerberos" profile from https://developer.apple.com/bug-reporting/profiles-and-logs/, reproduce the issue, then take a sysdiagnose and attach it to the feedback along with timestamps of when the unexpected behavior occurred. A video of the repro would be helpful as well.

0