WWDC26 identity integration updates
Note: The features discussed on this page are pre-release versions and may be incomplete, changed, or removed before final release.
The content below is listed in order of operating system versions, then the number of operating systems affected:
Extensible SSO configuration
On devices with iOS 27, iPadOS 27, macOS 27, and visionOS 27, a new com.apple.configuration.extensible-sso configuration brings Extensible SSO (iOS, iPadOS, macOS, visionOS) and Platform SSO settings (macOS only) to declarative device management.
Web-based authentication with Platform Single sign-on
On a Mac with macOS 27, IT teams can deploy modern, phishing-resistant, and flexible authentication methods with web-based authentication. When OpenID is configured for UserCreation.NewUserAuthenticationMethods or UserCreation.NewUserAuthenticationMethods (configuration), or NewUserAuthenticationMethods or NewUserAuthenticationMethods (profile), macOS displays a web view that renders the sign-in form of the identity provider (IdP) at FileVault unlock, at the Lock Screen, and at the login window. The web view supports multi-step and multi-factor authentication flows as well as QR code sign-in.
QR code sign-in provides a quick authentication method using the built-in camera or an attached camera. For example, to support students logging in to a Mac for a class or users logging into Mac computers used as kiosks. To help protect the user’s privacy, macOS uses a secure system process and shares only the scanned code with the IdP. The IdP treats this code as text and it can represent a token, URL, or other factors the IdP requires.
During the web-based authentication process, only URLs permitted by the IT team using one of the following keys can be loaded:
Configuration:
WebAuthentication.URLAllowListProfile:
WebLoginURLAllowList
Each URL needs to be fully defined using its fully qualified domain name (FQDN) and include the scheme and host, for example, https://login.idp.com.
Note: Wildcards aren’t supported.
If web-based authentication is unavailable, for example, when the Mac is offline, users can use their local account password to authenticate for a number of days defined by the IT team using one of the following keys:
Configuration:
Policies.OfflineGracePeriodProfile:
OfflineGracePeriod
A password entered during the web-based authentication flow can be synced with the local user account. This requires:
Support by the IdP.
IT teams allow the feature using one of the following keys:
Configuration:
WebAuthentication.AllowPasswordSyncProfile:
AllowWebLoginPasswordSync
Login window network access on macOS
On a supervised Mac with macOS 27, IT teams can allow users to connect a different network and authenticate with captive portals at FileVault unlock, at the Lock Screen, and the login window. This change helps shared Mac computers configured for Platform SSO use features like web-based authentication or Authenticated Guest Mode, which require the Mac to connect to the identity provider (IdP) to perform the authentication.
There are two new keys in the com.apple.applicationaccess (Restrictions) profile to allow this feature:
ForceWifiConfigurationOnLockScreen: This allows users to select a different Wi-Fi network. The default isFALSE.ForceCaptivePortalConnectionFromLockScreen: This allows Wi-Fi captive portal authentication. The default isFALSE.
Touch ID required for Platform SSO
Many organizations consider biometric authentication one of the strongest authentication factors because it relies on unique physical traits rather than shared knowledge and forms the core of a multi-factor authentication strategy.
On a supervised Mac with macOS 27, organizations can require Touch ID—or alternatively Apple Watch unlock—as an additional factor at every critical macOS authentication entry point to help deliver phishing-resistant biometric multi-factor authentication (MFA) without additional infrastructure. IT teams can set the new RequireTouchID or RequireTouchIDOrWatch option individually within the Platform SSO FileVault, Lock Screen, and login window login policy. Touch ID can be required when Platform SSO authentication is configured to use a Secure Enclave–backed key or password.
If Touch ID isn’t available, organizations can allow web-based authentication as a fallback. If neither Touch ID nor web-based authentication is available, the user can’t log in.
FileVault for Authenticated Guest Mode
On a shared Mac with macOS 27, FileVault now supports Authenticated Guest Mode. This allows temporary, IdP-authenticated users to unlock FileVault and access the Mac, supporting shared Mac deployments where compliance requires full-disk encryption.
Because authentication is done by the IdP, the Mac needs to have an active network connection and be able to reach the IdP.
Authenticated Guest Mode for Shared iPad
Later this year, Authenticated Guest Mode will be available on Shared iPad. When configured for Temporary Session Only mode, Authenticated Guest Mode on Shared iPad supports temporary sessions after authenticating with a Managed Apple Account. This creates a faster login experience, automatically allows SSO in supported apps, and doesn’t require configuration of user storage quotas on the device.
Users sign in with their Managed Apple Account using native authentication or federated authentication with an IdP. If a passcode policy is applied, the user is prompted to set a session-specific passcode with any configured passcode complexity requirements. This passcode can then be used to unlock an active session. When users sign out, all local data, the session passcode and the Managed Apple Account are automatically removed from the iPad.
Note: Using Authenticated Guest Mode doesn’t require the user to define a passcode for Shared iPad. It uses authentication with the IdP and a session passcode instead.
Microsoft Graph API support
Microsoft announced the upcoming end of service for Exchange Web Services (EWS) in Exchange Online. Apple is actively working with Microsoft to update Mail, Calendar, Contacts, Notes, and Reminders to use the Graph API in a future update to macOS 27, including a declarative configuration for device management services.
Microsoft has documented options for organizations to continue using EWS beyond October 2026. For more information, see Exchange Online EWS, Your Time is Almost Up on the Exchange Team Blog.
Shared Signals Framework updates
IdPs need to stay synchronized with the Apple federation infrastructure as security standards evolve. Apple’s Shared Signals Framework (SSF) support has been updated to align with the ratified OpenID Shared Signals Framework Specification 1.0.