Using the Single Sign-on extension with Apple devices
The Kerberos Single Sign-on (SSO) extension makes it easy to use Kerberos-based single sign-on with your organization’s iOS or iPadOS devices and Mac computers by simplifying the process of acquiring a Kerberos ticket-granting ticket (TGT) from your Active Directory domain, allowing users to seamlessly authenticate to resources like websites, apps, and file servers. The Kerberos SSO extension also helps your users manage their Active Directory accounts.
The Kerberos SSO extension should be used with an on-premise Active Directory domain. To use the Kerberos SSO extension, the device doesn’t need to be joined to an Active Directory domain.
iOS 13, iPadOS 13.1, or macOS 10.15 or later
An Active Directory domain must run in Windows Server 2008 or greater functional mode. The Kerberos SSO extension isn’t intended for use with Microsoft Azure Active Directory. It requires a traditional on-premise Active Directory domain.
Access to the network where the Active Directory domain is hosted. This network access can be Wi-Fi, Ethernet, or VPN.
Devices must be managed with a mobile device management (MDM) solution which has support for the Extensible Single Sign-on (SSO) configuration profile payload. Contact your MDM vendor to ask about their support for the Extensible Single Sign-on configuration profile payload.