Extensible Single Sign-On Kerberos MDM payload settings for Apple devices
Use the Extensible Single Sign-On Kerberos payload to define extensions for multifactor user authentication on iPhone, iPad, and Mac devices enrolled in a mobile device management (MDM) solution. This payload must be user approved.
This extension is for use by identity providers to deliver a seamless experience as users sign in to apps and websites. When properly configured using MDM, the user authenticates once then gains access to subsequent native apps and websites automatically. The following other features can be used with the Extensible Single Sign-On Kerberos payload when implemented by the developer:
In addition to the Extensible Single Sign-On Kerberos for third-party developers, iOS 13, iPadOS 13.1, and macOS 10.15 feature a built-in Kerberos extension that can be used to log users into native apps as well as websites that support Kerberos authentication.
macOS domains should be managed with the Associated Domains payload.
Note: This payload can be installed only by an MDM solution.
OS and channel
Supported enrollment types
Shared iPad user
The unique bundle ID for the app. This must be com.apple.AppSSOKerberos.KerberosExtension.
The unique team ID for the app. This must be apple.
This value must be Credential.
The full Kerberos realm where the user’s account is located.
Approved domains that can be authenticated with the app extension.