Extensible Single Sign-on Kerberos device management payload settings for Apple devices
Use the Extensible Single Sign-on Kerberos payload to define extensions for multifactor user authentication for users of an iPhone, iPad, Shared iPad, Mac, or Apple Vision Pro that enrolls in a device management service.
This extension is for use by organizations to deliver a seamless experience as users sign in to apps and websites. When this payload is properly configured using a device management service, the user authenticates once, then gains access to subsequent native apps and websites automatically. Some of the features you can use with the Extensible Single Sign-on Kerberos payload are:
Authentication with user name and password or for example, smart cards
Per-app VPN
Password expiration notifications
Password changes
Because you can use this payload on the user channel, device management service developers can bundle per-user settings for SSO—for example, the user-level certificate identities for use with certificate-based Kerberos or PKINIT.
Supported approval method: Requires user approval.
Supported installation method: Requires a device management service to install.
Supported payload identifier: com.apple.extensiblesso(kerberos)
Supported operating systems and channels: iOS, iPadOS, Shared iPad user, macOS device, macOS user, visionOS 1.1.
Supported enrollment methods: User Enrollment, Device Enrollment, Automated Device Enrollment.
Duplicates allowed: True—more than one Extensible Single Sign-on Kerberos payload can be delivered to a user or device.
You can use the settings in the table below with the Extensible Single Sign-on Kerberos payload.
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Extension identifier | The unique bundle ID for the app. This needs to be com.apple.AppSSOKerberos.KerberosExtension. | Yes | |||||||||
Team identifier | The unique team ID for the app. This needs to be apple. | Yes | |||||||||
Sign-on type | This value needs to be Credential. | Yes | |||||||||
Realm | The full Kerberos realm where the user’s account is located. | Yes | |||||||||
Hosts | Approved domains that can be authenticated with the app extension. | No | |||||||||
Extension data | This is the dictionary used by the Apple built-in Kerberos extension. | No | |||||||||
Note: Each device management service developer implements these settings differently. To learn how various Extensible Single Sign-on Kerberos settings are applied to your devices and users, consult your developer’s device management service documentation.