Single Sign-On payload settings for Apple devices
You can configure single sign-on settings for iPhone and iPad devices enrolled in a mobile device management (MDM) solution. Use the Single Sign-On payload to define Kerberos account information when accessing servers or specified apps.
Single Sign-On is a concept based on Kerberos, where authentication to services running on various servers is granted. This is based on a trust relationship between the servers and the account. Active Directory uses Single Sign On to authenticate to additional servers they trust.
Note: This payload is unavailable in Apple Configurator 2.
OS and channel | Supported enrolment types | Interaction | Duplicates |
|---|---|---|---|
iOS iPadOS | User Device Automated Device | Exclusive | Single |
Setting | Description | Required |
|---|---|---|
Account Name | Name of the user account — for example, Alex Hunter. | Yes |
Principal Name | Kerberos principal name for the user account — for example, alexhunter@SERVER.EXAMPLE.COM | Yes |
Realm | The full Kerberos realm where the user’s account is located. | Yes |
Renewal Certificate payload | The certificate payload used to silently renew a Kerberos ticket. | No |
URL patterns | URLs to be used with this account. Any URLs that don’t match the pattern won’t be contacted. | No |
Specific apps | Apps that can take advantage of single sign-on can be listed here by their app identifier. | No |