Apple's update to macOS 15.4 has introduced an enrollment issue with Okta Device Access Platform Single Sign On (SSO). To resolve this issue, a fix to Okta Verify is required and will be released in version 9.39. Additionally, a new entry is needed in the configuration profile on the Mobile Device Management (MDM). Until both are available, customers are advised to defer their Operating System (OS) updates.
- Okta Identity Engine (OIE)
- Okta Device Access (ODA)
- Platform Single Sign On (PSSO)
- macOS 15.4
- Okta Verify
To resolve an issue in macOS where Platform Single Sign On (PSSO) registration popups were not appearing as expected, Apple introduced a system-level change that affects all PSSO integrations.
Both the Okta Verify app and the associated PSSO MDM configuration payloads will need to be updated to align with Apple’s updated framework and ensure proper functionality.
- The app fix will be deployed with Okta Verify for macOS in version 9.39+, which is generally available now.
- For more information on how to obtain the latest version, refer to the manual chapter Deploy Okta Verify to macOS devices.
- The MDM payload is backward compatible and may be updated anytime by configuring an additional app identifier and associated domain within the configuration profile:
- App ID:
B7F62B65BN.com.okta.mobile. - Associated Domain:
authsrv:<OKTAORG>.
- App ID:
NOTE: The Associated Domain is the Okta Org URL with authsrv: preceding the URL. For example, if the Okta org is Oktalab.okta.com, the associated domain would need to be configured as authsrv:oktalab.okta.com.
Example Kandji plist. Change < accuhive.okta.com > with the Okta org URL.
| <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>Configuration</key> <array> <dict> <key>ApplicationIdentifier</key> <string>B7F62B65BN.com.okta.mobile</string> <key>AssociatedDomains</key> <array> <!-- replace accuhive.okta.com with your tenant address --> <string>authsrv:accuhive.okta.com</string> </array> </dict> <dict> <key>ApplicationIdentifier</key> <string>B7F62B65BN.com.okta.mobile.auth-service-extension</string> <key>AssociatedDomains</key> <array> <!-- replace accuhive.okta.com with your tenant address --> <string>authsrv:accuhive.okta.com</string> </array> </dict> </array> <key>PayloadDisplayName</key> <string>Associated Domains for Okta Verify</string> <key>PayloadIdentifier</key> <string>F65C9B21-13AD-4F46-86E5-C3352E7D97B6</string> <key>PayloadOrganization</key> <string>CUSTOMER NAME</string> <key>PayloadType</key> <string>com.apple.associated-domains</string> <key>PayloadUUID</key> <string>F65C9B21-13AD-4F46-86E5-C3352E7D97B6</string> <key>PayloadVersion</key> <integer>1</integer> </dict> <dict> <key>PlatformSSO</key> <dict> <key>AuthenticationMethod</key> <string>Password</string> <key>UseSharedDeviceKeys</key> <true/> </dict> <key>ExtensionIdentifier</key> <string>com.okta.mobile.auth-service-extension</string> <key>Hosts</key> <array/> <key>TeamIdentifier</key> <string>B7F62B65BN</string> <key>Type</key> <string>Redirect</string> <key>URLs</key> <array> <!-- replace accuhive.okta.com with your tenant address --> <string>https://accuhive.okta.com/device-access/api/v1/nonce</string> <string>https://accuhive.okta.com/oauth2/v1/token</string> </array> <key>PayloadDisplayName</key> <string>Okta Verify Sign-On Extensions Payload</string> <key>PayloadIdentifier</key> <string>77058B08-6943-4DEC-899A-721F55B4EEE8</string> <key>PayloadOrganization</key> <string>CUSTOMER NAME</string> <key>PayloadType</key> <string>com.apple.extensiblesso</string> <key>PayloadUUID</key> <string>77058B08-6943-4DEC-899A-721F55B4EEE8</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string>Okta PSSO extension configuration</string> <key>PayloadDisplayName</key> <string>Okta PSSO extension</string> <key>PayloadIdentifier</key> <string>com.customer-name.profiles.ssoextension</string> <key>PayloadOrganization</key> <string>CUSTOMER NAME</string> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>D78FE406-0C61-4007-8C51-FFA5FDE5F54B</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist> |
The PSSO enrollment banner will only be prompted for the MDM-managed user.
Locate the managed user on the device by:
- Checking in System Information > Software > Profiles, the MDM Profile should list the MDM-managed user.
The following terminal command will list all users and UID, check the UID found in the System Information against the list and confirm if it is the end user:
dscl . -list /Users GeneratedUID
