Enabling SSO for Chrome using Intune and Platform SSO (macOS)
Chrome is currently the most popular browser, so it is important that end users experience a seamless single sign-on experience. Similar to Windows devices, if you use a macOS device and sign in to an application that uses Entra ID to authenticate, other applications and websites will automatically sign you in if you have enabled the SSO app extension plugin in Intune.
Unfortunately, the SSO app extension plugin does not work for Chrome, but I have good news! Microsoft recently released a new feature called Platform SSO that enables Chrome to have a seamless SSO experience. Platform SSO for macOS also offers other features, but the one I want to focus on in this article is SSO for Chrome; we'll discuss the steps involved in enabling this feature using Intune.
Table of Contents
Prerequisites
Before deploying Platform SSO to your macOS devices, ensure that the following requirements are met:
Devices are running macOS 13.0 or newer.
Devices have version 5.2404.0 or newer of the Intune Company Portal app installed.
Deployment Components
Before we dive into the deployment steps, I want to give you the three main components involved in the Platform SSO deployment.
The Microsoft Single Sign-One browser extension for Chrome browsers (see Deployment Step 1 below on how to deploy this extension)
The Intune Platform SSO configuration profile
The Intune Company Portal App
Deployment Process
Part 1: Deploy the Chrome SSO Browser Extension
Microsoft provides an SSO browser extension in the Chrome Web store. The task is to deploy it to the macOS devices in your environment. One way is to create a custom PLIST file for Chrome and deploy it using a Configuration Profile. I'll list the steps below for this specific situation, but to learn more about deploying PLIST files to macOS devices, view the article below:
Step 1
Copy the XML code below and paste it into a program like Xcode, TextEdit, or Visual Studio Code. Save the file with either a .plist or .xml file extension; it does not matter which one you choose.
Step 2
Next, we'll deploy the PLIST file using an Intune configuration profile. See the steps below:
Open the Endpoint Manager (Intune) portal.
Select Devices in the left-hand menu blade.
Select macOS > Configuration (expand Manage Devices)
Select + Create > + New Policy
Platform: macOS
Profile type: Templates > Preference file
Select Create.
Under the Basics tab, input a name and optionally, a description.
Preference Domain Name: com.google.Chrome
Property List File: select the folder icon to search for and upload the PLIST/XML file you copied and saved earlier.
Once done, select Next, choose the device assignment, and create the app deployment.
Part 2: Deploy the latest version of the Company Portal App
I know this was listed as a prerequisite, but now would be a good time to double-check that all of your targeted macOS devices have the latest version of the Intune Company Portal App. Click here to check the latest version.
Part 3: Create the Platform SSO Policy
Below are a few worth noting before enabling the Platform SSO policy for your devices.
Your devices will become Entra ID joined if they weren't already.
Once the policy is enabled and users complete the prompt, single sign-on will be available for all applications and websites that support it. By enabling the policy, you are activating the SSO app extension.
You will need to choose an authentication method that will decide how users authenticate to Entra ID and receive the SSO token; the method you choose may change the way your users sign in to the device. You have three options to choose from, each having pros and cons. Click here to learn more about the three options.
Click the link below to view Microsoft's helpful step-by-step guide on deploying the policy in Intune.
Once you've created and assigned the Platform SSO policy to your enrolled devices, the users will see a registration notification (see image below). Users must click on this notification, enter their Entra ID credentials, and provide MFA (if needed). Please note that Platform SSO will NOT work unless users complete the registration process. Also, see the note below from Microsoft on what happens once a user completes registration:
When they successfully authenticate, the device is Microsoft Entra-joined to the organization and the workplace join (WPJ) certificate is bound to the device.
Part 4: Unassign the Legacy SSO App Extension Profile
If you previously created and deployed the SSO app extension plugin configuration profile, you will need to unassign it from your devices. If you are unsure whether you deployed the SSO App Extension profile, click here for a refresher on what it is.
Part 5: End Result (Testing)
After the end-user has completed the registration process and has signed out and signed back in, SSO should be activated for all supporting applications (especially Chrome) and websites.
To test, a user should be able to navigate to https://portal.office.com and not have to sign in. If this is not the case, see the troubleshooting section below.
Troubleshooting
If you have done all of the steps above and Chrome still does not allow SSO (ex. the user is asked to provide credentials to Office), then try the step below:
Cause
Most likely, the cause is that the Company Portal application is missing a needed JSON file.
Solution
Option 1: Uninstall/Reinstall the Company Portal Application
Uninstall the application from the user's device.
Click here to get the latest version of the Intune Company Portal App.
Reinstall the app.
Check the following file path to see if the JSON file exists: ~/Library/Application\ Support/Google/Chrome/NativeMessagingHosts/com.microsoft.browsercore.json
Option 2: Deploy a Script that Copies the JSON File
Rather than uninstalling and reinstalling the application, you can copy the JSON file to the appropriate location. You can use the script below and deploy it using Intune. For a refresher on deploying bash scripts using Intune, view the article below:
Comments