Extensible Single Sign-on Kerberos MDM payload settings for Apple devices
Use the Extensible Single Sign-on Kerberos payload to configure a single sign-on extension on iPhone, iPad, and Mac devices enrolled in a mobile device management (MDM) solution.
This extension is for use by organizations to deliver a seamless experience as users sign in to apps and websites. When this payload is properly configured using MDM, the user authenticates once, then gains access to subsequent native apps and websites automatically. Some of the features that can be used with the Extensible Single Sign-on Kerberos payload are:
Authentication with user name and password or for example, smart cards
Per-app VPN
Password expiration notifications
Password changes
Because this payload can be used on the user channel, MDM vendors can bundle per-user settings for SSO—for example, the user-level certificate identities for use with certificate-based Kerberos or PKINIT.
Supported approval method: Requires user approval.
Supported installation method: Requires an MDM solution to install.
Supported payload identifier: com.apple.extensiblesso(kerberos)
Supported operating systems and channels: iOS, iPadOS, Shared iPad user, macOS device, macOS user, visionOS 1.1.
Supported enrollment methods: User Enrollment, Device Enrollment, Automated Device Enrollment.
Duplicates allowed: True—more than one Extensible Single Sign-on Kerberos payload can be delivered to a user or device.
You can use the settings in the table below with the Extensible Single Sign-on Kerberos payload.
Setting | Description | Required | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Extension identifier | The unique bundle ID for the app. This must be com.apple.AppSSOKerberos.KerberosExtension. | Yes | |||||||||
Team identifier | The unique team ID for the app. This must be apple. | Yes | |||||||||
Sign-on type | This value must be Credential. | Yes | |||||||||
Realm | The full Kerberos realm where the user’s account is located. | Yes | |||||||||
Hosts | Approved domains that can be authenticated with the app extension. | No | |||||||||
Extension data | This is the dictionary used by the Apple built-in Kerberos extension. | No |
Note: Each MDM vendor implements these settings differently. To learn how various Extensible Single Sign-on Kerberos settings are applied to your devices and users, consult your MDM vendor’s documentation.