Apple Platform Deployment
- Welcome
- Intro to Apple platform deployment
- What’s new
-
-
- General payload settings
- Accessibility payload settings
- Active Directory Certificate payload settings
- AirPlay payload settings
- AirPlay Security payload settings
- AirPrint payload settings
- App Configuration payload settings
- AppLayerVPN payload settings
- Associated Domains payload settings
- Autonomous Single App Mode payload settings
- Calendar payload settings
- Cellular payload settings
- Certificates payload settings
- Certificate Preference payload settings
- Certificate Revocation payload settings
- Certificate Transparency payload settings
- Conference Room Display payload settings
- Contacts payload settings
- Content Caching payload settings
- Directory payload settings
- DNS Proxy payload settings
- DNS Settings payload settings
- Dock payload settings
- Domains payload settings
- Energy Saver payload settings
- Exchange ActiveSync (EAS) payload settings
- Exchange Web Services (EWS) payload settings
- Extensible Single Sign-On payload settings
- Extensible Single Sign-On Kerberos payload settings
- Extensions payload settings
- File Provider payload settings
- Finder payload settings
- Fonts payload settings
- Global HTTP Proxy payload settings
- Google Accounts payload settings
- Home Screen layout payload settings
- Identification payload settings
- Kernel Extension Policy payload settings
- LDAP payload settings
- Lights Out Management payload settings
- Lock Screen message payload settings
- Login Items payload settings
- Login Window payload settings
- Mail payload settings
- Network Usage Rules payload settings
- Notifications payload settings
- Parental Controls payload settings
- Password and passcode payload settings
- Printing payload settings
- Privacy Preferences Policy Control payload settings
- Proxy payload settings
- SCEP payload settings
- Security & Privacy payload settings
- Setup Assistant payload settings
- Single App Mode payload settings
- Single Sign-On payload settings
- Smart Card payload settings
- Software Update payload settings
- Subscribed Calendars payload settings
- System Extensions payload settings
- System Migration payload settings
- Time Machine payload settings
- TV Remote payload settings
- Web Clips payload settings
- Web Content Filter payload settings
- Xsan payload settings
- Glossary
- Document revision history
- Copyright

Extensible Single Sign-On MDM payload settings for Apple devices
Use the Extensible Single Sign-On payload to define extensions for multifactor user authentication on an iPhone, iPad, or Mac enrolled in a mobile device management (MDM) solution. This payload must be user approved.
This extension is for use by identity providers to deliver a seamless experience as users sign in to apps and websites. When properly configured using MDM, the user authenticates once then gains access to subsequent native apps and websites automatically. The following other features can be used with the Extensible Single Sign-On payload when implemented by the developer:
iCloud Keychain
Multifactor authentication
Per App VPN
User notification
In addition to providing the Single sign-on extensions for third-party developers, iOS 13, iPadOS 13.1, and macOS 10.15 feature a built-in Kerberos extension that can be used to sign users in to native apps and websites that support Kerberos authentication.
macOS domains should be managed with the Associated Domains payload.
Supported operating system and channel | Supported enrollment types | Interaction | Duplicates |
|---|---|---|---|
iOS iPadOS Shared iPad user macOS device macOS user | User Device Automated Device | Exclusive | Single |
Setting | Description | Required |
|---|---|---|
Extension identifier | The unique bundle ID for the app. | Yes |
Team identifier | The unique team ID for the app. | Yes |
Sign-on type |
| Yes |
Realm | The full Kerberos realm where the user’s account is located. This key is ignored for | No |
Hosts | Approved domains that can be authenticated with the app extension. | No |
URLs | Required for Redirect payloads. Ignored for Credential payloads. The URLs must begin with https:// or http://, the scheme and hostname are matched case insensitively, query parameters and URL fragments aren’t allowed, and the URLs of all installed Extensible SSO payloads must be unique. | No |