Extensible Single Sign-On Kerberos

Extensible Single Sign-On is an Apple feature that allows you to configure single sign-on for users accessing enterprise resources from iOS and macOS devices that are registered with Ivanti EPMM. App users on the device need to authenticate once. Users are not prompted for authentication for subsequent access.

Use this configuration to do single sign-on if your enterprise uses Kerberos authentication.

This configuration does not require an Ivanti Tunnel or a Sentry deployment.


  • An app, also referred to as an app extension, that performs the SSO is required.

  • The feature is supported with iOS 13.0 ad macOS 10.15 or supported newer versions.

You configure Extensible Single Sign-On with Kerberos on the Admin Portal. Go to Policies & Configs > Configurations > Apple > iOS / macOS / tvOS > Extensible Single Sign-On Kerberos. To distribute the configuration, save and apply it to a label that contains the target devices.

The following table describes the fields and settings in the configuration.

Table 112.  Extensible Single Sign-On Kerberos field description




(Required) Enter a name that identifies this configuration.


Enter a description that clarifies the purpose of this configuration.


The Channel options are applicable to macOS only.

Select one of the following:

  • User: Select to apply to only specific users on the device.

  • Device: Select to apply to all users on the device.

The User option is not supported on macOS 10.15 devices .

Extensible Single Sign-On Kerberos

Principal Name

(Required) Enter the Kerberos Principal Name.


(Required) Enter the Kerberos Realm.


(Required) Select the certificate to use to renew the Kerberos credential.


Enter the Kerberos domain name that can be authenticated through the app extension.

Host or domain name matching is not case sensitive. The host and domain names must be unique Hosts that begin with a “.” are wildcard suffixes. Wildcard suffixes will match all sub-domains. Otherwise, the host or domain name must be an exact match.

Allow Automatic Login

Allows passwords to be saved in the keychain. By default, the option is selected.

If the option is deselected, passwords are not saved in the keychain.

Delay User Setup

Applicable to macOS 11 or supported newer versions.

Select the option so that users are not prompted to set up the app extension for Kerberos.

If the option is selected users are prompted to set up the app extension for Kerberos only if the administrator enables app extension with the app-SSO tool or the user sees a Kerberos challenge.

Require User Presence

Select the option to require users to provide Touch ID, Face ID, or their passcode to access the keychain entry.

Monitor Credential Cache

Applicable to macOS 11 or supported newer versions.

By default, the option is selected.

Deselect the option to request credentials on the next matching Kerberos challenge or network state change.

If the credentials expire, a new is created.

Cache Name

Enter the Generic Security Service (GSS) name of the Kerberos cache to use.

Domain Realm Mapping


Select +Add to add a domain and DNS suffixes.

For Domain, enter the name of realm.

For value, enter one or more DNS suffixes that map to the realm.

Default Realm

Enter the default realm if there is more than one Kerberos extension configuration.

Use Site Auto Discovery

The option is selected by default.

If selected, the Kerberos extension automatically uses LDAP and DNS to determine its Active Directory (AD) site name.

Site Code

Enter the name of the Active Directory site that the Kerberos extension should use.

Replication Time

Applicable to macOS 11 or supported newer versions.

Enter the time, in seconds, required to replicate changes int he Active Directory domain.

The Kerberos extension uses the configured replication time to check the password age.

Credential Bundle IDACL

Credential Bundle

Select Add+ to enter an app bundle ID allowed to access the Ticket Granting Ticket (TGT).

Include managed Apps in Bundle IdACL

Applicable to iOS 14 or supported newer versions.

Select the check box to allow only managed apps to access and use the credential.

This option is used in addition to the Credential Bundle.

Custom Username Label

Applicable to macOS 11 or supported newer versions.

Enter the custom user name label used in the Kerberos extension instead of the "Username."

Help Text

Applicable to iOS 14 or supported newer versions.

Enter text to display at the bottom of the Kerberos log in window.

The text can be a disclaimer or help information.

Credential Use Mode

Select one of the following options to specify how the Kerberos extension credential is used by other processes:

Always (default): The extension credential is always used if the service principal name (SPN) matches the Kerberos Extension Hosts array. The credential is not used if the calling app is not in the configured in Credential Bundle.

When Not Specified: The credential is only used when another credential has not been specified by the caller and the SPN matches the Kerberos Extensions Hostsarray. The credential will not be used if the calling app is not in in Credential Bundle.

Kerberos Default: The default Kerberos processes for selecting credentials is used which normally uses the default Kerberos credential. This is the same as turning off this capability.

Require TLS for LDAP

Select to require TLS for the LDAP.

Password Settings

The Password Settings options are applicable to macOS 10.15 or supported newer versions.

Allow Password Change

The option is selected by default.

Deselect to disable password changes.

Password Change URL

Enter the URL to launch when they initiate a password change. The URL is launched in the user’s default web browser.

Allow Password Complexity

If selected, passwords must meet Active Directory's definition of "complex."

Minimum Password Length

Enter the minimum length, in characters, of passwords on the domain.

Password Expiry Notification

Enter the number of days prior to password expiration when a notification of password expiration is sent to the user.

The default value is 15 days.

Password Expiry Override

Enter the number of days that passwords can be used on this domain.

For most domains, this can be calculated automatically.

Password Required Text

Enter the domain's password requirements.

Use only if pwReqComplexity or pwReqLength are not specified.

Password History Count

Enter the number of prior password that cannot be re-used on this domain.

Password Minimum Age

Enter the minimum age, in days, of the password before it can be changed on this domain.

Allow Syncing Local Password

Select to enable password syncing.

The setting is not applied if the user is logged in with a mobile account.