Using the Single Sign-on extension with Apple devices
The Kerberos Single Sign-on (SSO) extension makes it easy to use Kerberos-based single sign-on with your organization’s iOS or iPadOS devices and Mac computers by simplifying the process of acquiring a Kerberos ticket-granting ticket (TGT) from your Active Directory domain, allowing users to seamlessly authenticate to resources like websites, apps, and file servers. The Kerberos SSO extension also helps your users manage their Active Directory accounts.
The Kerberos SSO extension should be used with an on-premise Active Directory domain. To use the Kerberos SSO extension, the device doesn’t need to be joined to an Active Directory domain. Additionally, users don’t need to log in to their Mac computers with Active Directory accounts; instead, Apple recommends using local accounts.
On macOS, the Kerberos SSO extension allows users to change their Active Directory passwords and notifies them when a password is close to expiring. Additionally, users can change their local account passwords to match their Active Directory passwords. When a user changes their network state (for example, they switch from Wi-Fi to Ethernet) the Kerberos SSO extension proactively acquires a Kerberos TGT to ensure that the user is ready to do Kerberos authentication when needed.
Users can view and manage their Kerberos ticket information by using the Ticket Viewer app located in /System/Library/CoreServices/. You can see additional information by clicking the Ticket menu and choosing Diagnostic Information. Users can also request, view, and destroy Kerberos tickets by using the command line tools
iOS 13, iPadOS 13.1, or macOS 10.15 or later
An Active Directory domain must run in Windows Server 2008 or greater functional mode. The Kerberos SSO extension isn’t intended for use with Microsoft Azure Active Directory. It requires a traditional on-premise Active Directory domain.
Access to the network where the Active Directory domain is hosted. This network access can be Wi-Fi, Ethernet, or VPN.
Devices must be managed with a mobile device management (MDM) solution which has support for the Extensible Single Sign-on (SSO) configuration profile payload. Contact your MDM vendor to ask about their support for the Extensible Single Sign-on configuration profile payload.