Single Sign-on MDM payload settings for Apple devices
You can configure single sign-on settings for iPhone and iPad devices enrolled in a mobile device management (MDM) solution. Use the Single Sign-on payload to define Kerberos account information when accessing servers or specified apps.
Single sign-on is a concept based on Kerberos, where authentication to services running on various servers is granted by a Kerberos Key Distribution Center (KDC). This is based on a trust relationship between the servers and the account. Active Directory uses single sign-on to authenticate to additional servers that they trust. For more information, see Intro to Single Sign-on with Apple devices.
The Single Sign-on payload supports the following. For more information, see Payload information.
Supported payload identifier: com.apple.sso
Supported operating systems and channels: iOS, iPadOS.
Supported enrollment methods: User Enrollment, Device Enrollment, Automated Device Enrollment.
Duplicates allowed: False—only one Single Sign-on payload can be delivered to a device.
You can use the settings in the table below with the Single Sign-on payload.
Setting | Description | Required | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Account Name | Name of the user account—for example, Alex Hunter. | Yes | |||||||||
Principal Name | Kerberos principal name for the user account—for example, alexhunter@SERVER.betterbag.COM | Yes | |||||||||
Realm | The full Kerberos realm where the user’s account is located. | Yes | |||||||||
Renewal Certificate payload | The Certificates payload used to silently renew a Kerberos ticket. | No | |||||||||
URL patterns | URLs to be used with this account. Any URLs that don’t match the pattern won’t be contacted. | No | |||||||||
Specific apps | Apps that can take advantage of Single Sign-On can be listed here by their app identifier. | No |
Note: Each MDM vendor implements these settings differently. To learn how Single Sign-On settings are applied to your devices, consult your MDM vendor’s documentation.