Apple Platform Deployment
- Welcome
- Intro to Apple platform deployment
- What’s new
-
-
- General payload settings
- Accessibility payload settings
- Active Directory Certificate payload settings
- AirPlay payload settings
- AirPlay Security payload settings
- AirPrint payload settings
- App Configuration payload settings
- AppLayerVPN payload settings
- Associated Domains payload settings
- Autonomous Single App Mode payload settings
- Calendar payload settings
- Cellular payload settings
- Certificates payload settings
- Certificate Preference payload settings
- Certificate Revocation payload settings
- Certificate Transparency payload settings
- Conference Room Display payload settings
- Contacts payload settings
- Content Caching payload settings
- Directory payload settings
- DNS Proxy payload settings
- DNS Settings payload settings
- Dock payload settings
- Domains payload settings
- Energy Saver payload settings
- Exchange ActiveSync (EAS) payload settings
- Exchange Web Services (EWS) payload settings
- Extensible Single Sign-On payload settings
- Extensible Single Sign-On Kerberos payload settings
- Extensions payload settings
- File Provider payload settings
- Finder payload settings
- Fonts payload settings
- Global HTTP Proxy payload settings
- Google Accounts payload settings
- Home Screen layout payload settings
- Identification payload settings
- Kernel Extension Policy payload settings
- LDAP payload settings
- Lights Out Management payload settings
- Lock Screen message payload settings
- Login Items payload settings
- Login Window payload settings
- Mail payload settings
- Network Usage Rules payload settings
- Notifications payload settings
- Parental Controls payload settings
- Password and passcode payload settings
- Printing payload settings
- Privacy Preferences Policy Control payload settings
- Proxy payload settings
- SCEP payload settings
- Security & Privacy payload settings
- Setup Assistant payload settings
- Single App Mode payload settings
- Single Sign-On payload settings
- Smart Card payload settings
- Software Update payload settings
- Subscribed Calendars payload settings
- System Extensions payload settings
- System Migration payload settings
- Time Machine payload settings
- TV Remote payload settings
- Web Clips payload settings
- Web Content Filter payload settings
- Xsan payload settings
- Glossary
- Document revision history
- Copyright

Extensible Single Sign-On Kerberos MDM payload settings for Apple devices
Use the Extensible Single Sign-On Kerberos payload to configure the Single sign-on extension on iPhone and iPad devices and Mac computers enrolled in a mobile device management (MDM) solution. This payload must be user approved.
This extension is for use by organizations to deliver a seamless experience as users sign in to apps and websites. When this payload is properly configured using MDM, the user authenticates once, then gains access to subsequent native apps and websites automatically. Some of the features that can be used with the Extensible Single Sign-On Kerberos payload are:
Authentication with user name and password or for example, smart cards
Per App VPN
Password expiration notifications
Password changes
Because this payload can be used on the user channel, MDM vendors can bundle per-user settings for SSO—for example, the user-level certificate identities for use with certificate-based Kerberos or PKINIT.
Supported operating system and channel | Supported enrollment types | Interaction | Duplicates |
|---|---|---|---|
iOS iPadOS Shared iPad user macOS device macOS user | User Device Automated Device | Exclusive | Multiple |
Setting | Description | Required |
|---|---|---|
Extension identifier | The unique bundle ID for the app. This must be com.apple.AppSSOKerberos.KerberosExtension. | Yes |
Team identifier | The unique team ID for the app. This must be apple. | Yes |
Sign-on type | This value must be Credential. | Yes |
Realm | The full Kerberos realm where the user’s account is located. | Yes |
Hosts | Approved domains that can be authenticated with the app extension. | No |
Preferred KDCs | The ordered list of preferred Key Distribution Centers (KDCs) to use for Kerberos traffic. If the servers are specified, they are used for both connectivity checks and attempted first for Kerberos traffic. | No |