Single Sign-On Configuration

Ivanti Neurons for MDM enables Extensible Single Sign-On (SSO) with the Extensible SSO and Extensible SSO Kerberos configurations. The implementation requires an app extension, such as Microsoft Authenticator, from the identity provider. With an Extensible SSO implementation, users need to only authenticate once when accessing enterprise resources. Users are not prompted to authenticate for subsequent logins. For information about setup information for the intended identity provider, see Configure Identity Provider.

This section contains the following topics:

Single sign-on account settings

Applicable to:

  • iOS 7.0 through the most recently released version as supported by Ivanti Neurons for MDM.
  • visionOS 1.1 through the most recently released version as supported by by Ivanti Neurons for MDM.

Use the following settings to configure Kerberos-based enterprise SSO for any managed app and Apple Safari browser on iOS devices.

This configuration requires Tunnel and Sentry. For more information, see "Setting up single sign-on with Kerberos" in the Tunnel for iOS Guide.

Setting

Description

Name

Enter a name that identifies this configuration.

Description

Enter a description that clarifies the purpose of this configuration.

User name

Enter the Kerberos principal name.

Kerberos realm name

Enter the Kerberos realm name.

Certificate

For iOS 8 with Gold license: Select the certificate to use to renew the Kerberos credential.

URL prefixes matches

List of URLs prefixes that must be matched in order to use this account for Kerberos authentication over HTTP.

Allowlist Applications for SSO

Add apps from the App Catalog to Allowlist them for SSO.

For example, enter "Safari" to add Apple Safari.

If no apps are Allowlisted for SSO using a configuration of this type, all apps that support iOS SSO can utilize SSO, including built-in iOS apps.

Extensible single sign-on account settings

Applicable to:

  • iOS 13.0 through the most recently released version as supported by Ivanti Neurons for MDM.

  • macOS 10.15 through the most recently released version as supported by Ivanti Neurons for MDM.

  • visionOS 1.1 through the most recently released version as supported by by Ivanti Neurons for MDM.

Use the following settings to configure the SSO extension profile with the generic extension type to enable SSO for native apps and websites with various authentication methods.

Extensible SSO does not work when the configuration is pushed in the user channel for macOS 10.15.x devices.

Setting

Description

Name

Enter a name that identifies this configuration.

Description

Enter a description that clarifies the purpose of this configuration.

Choose SSO type

Select one of the following SSO types:

  • Credentials

    • Enter one or more Host names or domain names that can be authenticated through the app extension. Host or domain names are matched case-insensitively, and all the host/domain names of all installed Extensible SSO payloads must be unique. Hosts that begin with a “.” are wildcard suffixes and will match all subdomains, otherwise the host must be an exact match.

    • Enter the Realm name. This value should be properly capitalized.

  • Redirect

    • Enter one or more URL prefixes of identity providers where the app extension performs SSO. The URLs must begin with http:// or https://, the scheme and host name are matched case-insensitively, query parameters and URL fragments are not allowed, and the URLs of all installed Extensible SSO payloads must be unique.

Extension Identifier

Enter the bundle identifier of the app extension that performs SSO for the specified URLs.

Team Identifier

The team identifier of the app extension.

This key is required on macOS and ignored elsewhere.

Custom Data

Enter one or more custom data as key-value pairs.

Authentication Method

(Applicable only for macOS 13+)

  • Password

  • User Secure Enclave Key

Registration Token

Enter the token.

This field is enabled once you select one of the Authentication Methods.

Screen Locked Behavior

(applicable for iOS 15.0+ and macOS 12.0+)

Select one of the following options:

  • Cancel: The system cancels authentication requests when the screen is locked.

  • Do Not Handle: The authentication request continues without SSO when the screen is locked.

Denied Bundle Identifiers

(applicable for iOS 15.0+ and macOS 12.0+)

Add multiple bundle identifiers of apps that do not use the SSO provided by this extension. For example, com.company.appname.www.

Applicable to: macOS 14.0 through the most recently released version as supported by Ivanti Neurons for MDM.

Setting

Description

Account Display Name

Enter a name for the account that displays in notifications and authentication requests.

Additional Groups

Enter the name of the groups that will not have administrator access.

Administrator Groups

Enter the name of the group that has administrator access.

Authentication Method

Select one of the authentication methods from the drop-down list:

  • Password

  • User Secure Enclave Key

  • Smart Card

Authorization Groups

Enter the authorization right for a group name.

Enable Authorization

Select the checkbox to enable authorization prompts for administrator groups, authorization groups, or additional groups.

Enable Create User At Login

Select the checkbox to enable the creation of new users during login by using a password or smart card as an authentication method.

Login Frequency

The duration, in seconds, until the system requires a full login instead of a refresh.

The default value is 64,800 (18 hours). The minimum value is 3600 (1 hour).

New User Authorization Mode

Select one of the authorization modes for a new user from the drop-down list:

  • Standard: The account is for a standard user.

  • Admin: The system adds the account to the local administrator’s group.

  • Groups: The system automatically groups the new user under the administrator group, authorization group, or additional group.

Token To User Mapping

Enter the account name and the full name of the new users to map them for authorization.

User Authorization Mode

Select one of the authorization modes for a user from the drop-down list:

  • Standard: The account is for a standard user.

  • Admin: The system adds the account to the local administrator’s group.

  • Groups: The system automatically groups the new user under the administrator group, authorization group, or additional group.

Use Shared Device Keys

Select the check box to enable the same login and encryption keys for all users.

Applicable to: macOS 14.0 through the most recently released version as supported by Ivanti Neurons for MDM.

To view the Extensible single sign-on account settings, select the drop-down option as Password in the Authentication Method field.

Setting

Description

FileVault Policy

Enable the policy to view the following settings:

  • Attempt Authentication

  • Require Authentication

    Select the Require Authentication checkbox to enable additional configuration settings.

  • Allow Offline Grace Period

  • Allow Authentication Grace Period

Login Policy

Enable the policy to view the following settings:

  • Attempt Authentication

  • Require Authentication

    Select the Require Authentication checkbox to enable additional configuration settings.

  • Allow Offline Grace Period

  • Allow Authentication Grace Period

Unlock Policy

Enable the policy to view the following settings:

  • Attempt Authentication

  • Require Authentication

    Select the Require Authentication checkbox to enable additional configuration settings.

  • Allow Offline Grace Period

  • Allow Authentication Grace Period

  • Allow TouchID Or Watch For Unlock

Authentication Grace Period

Enter the amount of time after selecting one of the policies to use unregistered local accounts.

If you select the Allow Authentication Grace Period checkbox in one of the policies, it becomes a mandatory field.

Offline Grace Period

Enter the amount of time after selecting one of the policies to use an offline local account password after a successful Platform SSO login.

If you select the Allow Offline Grace Period checkbox in one of the policies, it becomes a mandatory field.

Non Platform SSO Accounts

Select + Add to enter the list of usernames that are not subjected to FileVault, Login, or Unlock policies.

Extensible single sign-on Kerberos account settings

Applicable to:

  • iOS 13.0 through the most recently released version as supported by Ivanti Neurons for MDM.

  • macOS 10.15 through the most recently released version as supported by Ivanti Neurons for MDM.

  • visionOS 1.1 through the most recently released version as supported by by Ivanti Neurons for MDM.

Use the following settings to configure an app extension that performs SSO with Kerberos extension.

Extensible SSO Kerberos does not work when the configuration is pushed in the user channel for macOS 10.15.x devices.

Setting

Description

Basic Settings

Name

Enter a name that identifies this configuration.

Description

Enter a description that clarifies the purpose of this configuration.

User name

Enter the Kerberos principal name.

Realm

Enter the Kerberos realm name.

Certificate

Select the certificate to use to renew the Kerberos credential.

URL Prefixes

List of URLs prefixes that must be matched in order to use this account for Kerberos authentication over HTTP.

Advanced Settings

Allow Automatic Login

If false, passwords are not allowed to be saved to the keychain.

By default, this option is enabled.

Delay User Setup

If true, doesn’t prompt the user to setup the Kerberos extension until either the administrator enables it with the app-sso tool or a Kerberos challenge is received. This option is applicable to macOS 11 through the latest version as supported by Ivanti Neurons for MDM.

Require User Presence If true, requires the user to provide Touch ID, Face ID, or their passcode to access the keychain entry.
Monitor Credential Cache

If false, the credential is requested on the next matching Kerberos challenge or network state change. If the credential is expired or missing, a new one will be created. This option is applicable to macOS 11 through the latest version as supported by Ivanti Neurons for MDM.

By default, this option is enabled.

Cache Name

Enter the Generic Security Service (GSS) name of the Kerberos cache to use. This option is now deprecated.

Domain Realm Mapping

Enter the name of the realm as the key. The value is an array of DNS suffixes that map to the realm.

Click + Add to add one or more key-value pairs.

Default Realm

This property specifies the default realm if there is more than one Kerberos extension configuration.

Use Site Auto Discovery

If false, the Kerberos extension doesn't automatically use LDAP and DNS to determine its AD site name.

By default, this option is enabled.

Site Code

Enter the name of the Active Directory site the Kerberos extension should use.

Replication Time

Enter the time, in seconds, required to replicate changes in the Active Directory domain. The Kerberos extension will use this when checking password age after a change. This option is applicable to macOS 11 through the latest version as supported by Ivanti Neurons for MDM. This option is now deprecated.

Credential Bundle ID ACL

Click + Add to add a list of bundle IDs allowed to access the Ticket Granting Ticket (TGT) for authentication.

Include Managed Apps in Bundle ID ACL

If true, the Kerberos extension will allow only managed apps to access and use the credential. This is in addition to the Credential Bundle ID ACL, if it is specified. This option is applicable to iOS 14 or supported newer versions of Ivanti Neurons for MDM.

Include Kerberos Apps in Bundled ID ACL

If true, the Kerberos extension allows the standard Kerberos utilities including Ticket Viewer and klist to access the use the credential. Available in macOS 12 and later.

Custom Username Label

Enter the custom user name label used in the Kerberos extension instead of "Username." For example, "Company ID." This option is applicable to macOS 11 through the latest version as supported by Ivanti Neurons for MDM.

Help Text

Enter the text to be displayed to the user at the bottom of the Kerberos login window. It can be used to display help information or disclaimer text. This option is applicable to iOS 14 and macOS 11 through the latest version as supported by Ivanti Neurons for MDM.

Credential Use Mode

This setting affects how the Kerberos Extension credential is used by other processes. Use one of the following:

  • Always (default) - The extension credential will always be used if the service principal name (SPN) matches the Kerberos Extension Hosts array. The credential will not be used if the calling app is not in credentialBundleIDACL.

  • When Not Specified - The credential will only be used when another credential has not been specified by the caller and the SPN matches the Kerberos Extensions Hosts array. The credential will not be used if the calling app is not in credentialBundleIDACL.

  • Kerberos Default - The default Kerberos processes for selecting credentials is used which normally uses the default Kerberos credential. This is the same as turning off this capability.

(Optional) Select Require TLS for LDAP.

Preferred Key Distribution Centers

 

 

 

Add Preferred Key Distribution Centers.

Click +Add to add a preferred KDC.

Allow Platform SSO Auth Fallback - If True and if Use Platform SSO TGT is true, allows the user to manually sign in. Available in macOS 13 and later

Perform Kerberos Only - If True, the Kerberos extension handles Kerberos requests only. Available in macOS 13 and later.

Use Platform SSO TGT - If True, this configuration uses a TGT from Platform SSO instead of requesting a new one. Available in macOS 13 and later.

Configure Switch to Password mode

If True, allows the user to switch the user interface to Password mode. Available in macOS 15 and later.

Configure Switch to Smart Card mode

If True, allows the user to switch the user interface to SmartCard mode. Available in macOS 15 and later.

Configure Start in Smart Card mode

If True, the user interface starts in SmartCard mode. Available in macOS 15 and later.

Identity Issuer Auto Select Filter

Filters the list of available Smart Cards. Available in macOS 15 and later.

Password Settings

Allow Password Change

If false, disables password changes. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM.

By default, this option is enabled.

Password Change URL

Enter the URL to be launched in the user’s default web browser when they initiate a password change. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM.

Allow Password Complexity

If true, passwords must meet Active Directory's definition of "complex." This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM.

Minimum Password Length

Enter the minimum length (in characters) of passwords on the domain. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM.

Password Expiry Notification

Enter the number of days prior to password expiration when a notification of password expiration will be sent to the user. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM.

The default value is 15 days.

Password Expiry Override

Enter the number of days that passwords can be used on this domain. For most domains, this can be calculated automatically. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM. (This option is now deprecated)

Password Required Text

Enter the text version of the domain's password requirements. Only for use if pwReqComplexity or pwReqLength aren’t specified. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM.

Password History Count

Enter the number of prior passwords that cannot be re-used on this domain. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM.

Password Minimum Age

Enter the minimum age (in days) of passwords before they can be changed on this domain. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM.

Allow Syncing Local Password

If false, disables password sync.

This will not work if the user is logged in with a mobile account. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM.

Password Requirement RTF data

RTF file formatted version of the domain’s password requirements. Available in macOS 15 and later.

Only for use if pwReqComplexity or pwReqLength are not specified.

For more information, see How to create a configuration