Introduction
The introduction of Platform Single Sign-On (SSO) by Apple was a major step, but with macOS 26 (Tahoe), the game has fundamentally changed.
Apple introduced Simplified Setup for Platform SSO, fundamentally redefining the user experience.
By leveraging this new framework, organizations using Okta for identity and Jamf Pro for device management can finally achieve identity integration at the earliest possible moment—the Setup Assistant.
The technical elegance of Simplified Setup allows Jamf Pro to halt the Setup Assistant until the Okta Verify application and its necessary profiles are installed.
Once ready, the user is presented with a native Okta sign-in window.
A successful authentication not only verifies the user but also provisions the first local macOS account, ensuring identity is the secure foundation of the device from the first boot.
This deep-dive guide will walk you through the precise, required configurations in both Okta Device Access and Jamf Pro.
By the end, you will have mastered the necessary SCEP certificates, custom profile payloads, and PreStage settings to deploy a secure, frictionless Mac experience that truly delivers on the promise of zero-touch IT.
Requirements
This blog post will provide a deep dive into the Platform SSO Simplified Setup—the latest evolution that shifts identity from a post-enrollment configuration to a core component of the out-of-box experience.
By leveraging this new native functionality with Okta Device Access and a robust MDM like Jamf Pro, we can finally realize a true “zero-touch” deployment for Macs.
The Technical Leap: Identity at Setup Assistant
Technically, the Simplified Setup feature in macOS 26 is a monumental advancement.
It closes the identity gap that previously existed between Automated Device Enrollment (ADE) and the user’s first login.
- OS-Native Identity: Instead of relying on post-login agents or scripts, macOS 26 integrates the Platform SSO registration directly into the Setup Assistant.
- Sequential Assurance: The device is paused in Setup Assistant until the Okta Verify application (the SSO extension) and its configuration profiles are successfully installed and validated by the MDM.
- First-User Creation: Crucially, the user’s successful authentication with their Okta credentials during the Setup Assistant sequence automatically creates and registers the first local macOS user account, linking it to their Okta identity from the moment they see the desktop.
This is a technical triumph of integration, streamlining MDM Enrollment, Identity Provisioning, and SSO Registration into one unified, native workflow.
Requirements
This Requirements Section is tailored for a technical blog post detailing the Simplified Setup of Platform Single Sign-On (SSO) in macOS 26 using Okta.
It focuses on the specific prerequisites needed for this modern, zero-touch enrollment workflow.
Okta Requirements
To successfully implement the Simplified Setup for Platform SSO in macOS 26, the following Okta features and configurations are necessary:
- Okta Identity Engine (OIE): Your Okta organization must be on the Okta Identity Engine platform.
- Okta Device Access: The Okta Device Access product must be enabled and configured for your organization.
- You must have a configured the Platform Single Sign-On for macOS application integration within the Okta Admin Console.
- Certificate Authority (CA): Okta must be configured as a Certificate Authority for Device Access to provision the necessary Simple Certificate Enrollment Protocol (SCEP) certificates to the macOS devices.
- Okta Verify Application:
- The latest, MDM-deployable version of Okta Verify 9.5.2 for macOS must be downloaded from the Okta Admin Console (do not use the Apple App Store version).
- Network Access: macOS devices must be able to communicate with the necessary Okta endpoints during the Setup Assistant phase.
Jamf Pro Requirements
The Mobile Device Management (MDM) solution, Jamf Pro, plays a crucial role in deploying the necessary components during the Automated Device Enrollment (ADE) process.
- Jamf Pro Version: A minimum version of Jamf Pro 11.20 or later is required to support the Platform SSO Simplified Setup feature within PreStage Enrollments.
- Automated Device Enrollment (ADE):
- Mac devices must be enrolled in Jamf Pro via a PreStage Enrollment using Apple Business Manager (ABM) or Apple School Manager (ASM).
- The PreStage Enrollment must have the “Enable Simplified Setup for Platform Single Sign-on” option checked.
- The Platform Single Sign-on App Bundle ID for the Okta Verify app (
com.okta.mobile) must be correctly entered in the PreStage Enrollment settings. - An Enrollment Package for the Okta Verify application must be added to the PreStage to ensure the app is installed before the Platform SSO screen appears in Setup Assistant.
- Configuration Profiles:
- A SCEP Configuration Profile must be created in Jamf Pro, pointing to the Okta Device Access SCEP endpoints (URL, Challenge URL, Username/Password) to facilitate certificate deployment.
- A Single Sign-On Extensions Configuration Profile must be deployed, configuring the Okta Verify SSO extension and its required settings (e.g., Extension Identifier, Team Identifier, URLs, the
key set to
2.0for full functionality). - An Associated Domains Payload is required and must be included in the configuration profiles, specifying the Okta domain.
macOS Device Requirements
These are the core operating system and device requirements for the simplified zero-touch experience.
- Operating System: Devices must be running macOS 26 (macOS Tahoe) or later, as the Simplified Setup feature is new to this version.
- Enrollment State: The Mac must be in an unconfigured state (Out-of-Box Experience/Setup Assistant) as it is enrolling via ADE to utilize the simplified setup workflow.
- Local Account Creation: The Simplified Setup workflow is specifically designed to create the first local macOS user account during the Setup Assistant, using the identity authenticated by Okta.
- Internet Connection: A stable, high-speed internet connection is required during the Setup Assistant phase for successful communication with Jamf Pro, Okta, and Apple’s enrollment services.
Demo – Simplified Setup for Platform SSO
In this demo, you will see the seamless, end-to-end user experience enabled by the Simplified Setup for Platform SSO (PSSO).
This process eliminates the traditional identity gap, linking the user’s cloud identity to the device from the moment of unboxing.
Configuring Single Sign-On (SSO)
In this section, you’ll find detailed, step-by-step instructions for configuring Single Sign-On (SSO) settings in Okta. This setup is essential for enabling seamless and secure SSO integration for specific administrator and user functionalities within Jamf Pro.
Okta Setup
To begin the Single Sign-On configuration, log into your Okta admin console and navigate to Applications > Applications.
Click Browse App Catalog.
In the application catalog, search for Jamf Pro. From the results, select the Jamf Pro SAML application tile to begin the integration process.
Click Add Integration to instantiate the Jamf Pro application template within your Okta environment.
In the configuration prompt, enter your full Jamf Pro URL (e.g., https://[yourinstance].jamfcloud.com) and click Done to finalize the application instantiation.
Navigate to the Authentication pane for the application and click Edit to adjust the configuration parameters.
Navigate to the SAML 2.0 settings for the application within your Okta tenant and perform the following mapping configuration.
- set the http://schemas.xmlsoap.org/claims/Group pop-up menu to “Matches Regex”
- and enter .*
This regular expression (.*) ensures that the claim captures all of the user’s assigned Okta groups, facilitating comprehensive group-based authorization and user account type definitions upon Mac login.
Select the appropriate Application username format that aligns with your identity provisioning strategy (e.g., Okta username, email, UPN prefix) and click Save to commit all changes to the Okta application configuration.
Navigate to the Assignments pane within the Okta application settings and assign the relevant users or groups to the Jamf Pro application integration.
Now navigate back to the Authentication tab. On the right side of the page, locate the SAML Setup section and click View SAML setup instructions.
The SAML metadata URL contains all the necessary endpoints and certificate information required for Jamf Pro to establish a trust relationship with Okta.
From Step 3 of the Okta SAML setup instructions, copy the provided Metadata URL.
This URL is critical; it will be used in the upcoming Jamf Pro configuration steps to seamlessly complete the integration and define the identity provider parameters within your MDM.
Jamf Pro Single Sign-On (SSO) Configuration
Log in to your Jamf Pro account using an administrative account and navigate through the administrative menu via:
Settings→System→Single Sign-on
Within the Single Sign-on configuration menu in Jamf Pro, you must enable the feature and specify the authentication protocol to be used.
- Select the checkbox to Enable SSO Authentication.
- Set the authentication protocol by selecting SAML authentication.
Proceed down to the SAML Identity Provider (IdP) Integration Settings section within the Jamf Pro Single Sign-on menu to complete the connection to Okta.
- From the Identity Provider dropdown menu, select Okta.
- In the Metadata URL field, paste the complete URL that you copied during the Okta configuration steps.
Next, locate the SAML IdP User Mapping section.
Accurate mapping here is essential for Jamf Pro to correctly identify the user based on the incoming SAML assertion from Okta.
Configure the user and group attributes as follows:
- Identity Provider User Mapping: Select NameID.
This value specifies that the primary user identifier - Jamf User Mapping: This value must align precisely with the Application username format defined in the Okta application setup to ensure a successful match.
- Identity Provider Group Attribute Name: Ensure it is set to http://schemas.xmlsoap.org/claims/Group
Finally, navigate down to the SAML IdP Options section. The settings configured here govern how and where Single Sign-On is leveraged within the Jamf Pro ecosystem, aligning security with user convenience.
Based on typical requirements for this deployment model, configure the following options:
- Single Sign-On Options for Jamf Pro
- Enable Single Sign-On for Self Service for macOS
- Enable Single Sign-On for User Authentication during Enrollment
- Enrollment Access: Any identity provider user
These selections are configured to ensure maximum coverage of the SSO experience, from the initial device enrollment through to day-to-day use of Self Service.
Click Save to apply the settings.
Okta PSSO Setup and Integration
In this section, we will cover the initial steps for configuring the Okta PSSO application and establish the necessary SCEP (Simple Certificate Enrollment Protocol) configuration.
Setting Up the Okta PSSO Application
Navigate to Applications > Applications.
In the application catalog, search for Platform. From the results, select the Platform Single Sign-On for macOS application tile to begin the integration process.
Click Add Integration to instantiate the Platform Single Sign-On for macOS application template within your Okta environment.
Choose a suitable Application Label and click Done
Navigate to the Assignments pane and assign the relevant users or groups to the Platform Single Sign-On for macOS application integration.
On the Authentication tab, note the Client ID. This ID is required when creating the managed app configuration in your Jamf environment
Device Access SCEP Certificate Configuration
In this section, we will cover how to configure Simple Certificate Enrollment Protocol (SCEP) certificates to enable secure and reliable device access and authentication.
To begin configuration, navigate to Security > Device Integrations.
Navigate to the Device Access tab and initiate the process by clicking Add SCEP configuration.
Select Generic as the Dynamic SCEP URL type and click the Generate button.
The following credentials, generated by Okta , are essential for configuring the trust relationship within your Mobile Device Management (MDM) solution.
These details will be required to build the SCEP configuration profile in Jamf Pro.
Securely record the following four critical values displayed on the screen and Save the configuration.
- SCEP URL
- Challenge URL
- Username
- Password
Jamf Pro SCEP Profile Configuration
The next phase of the deployment involves creating a new Configuration Profile in Jamf Pro to deploy the necessary Platform SSO settings and SCEP credentials to the target macOS devices.
Create a dynamic SCEP profile in Jamf Proin Jamf Pro
In the Jamf Pro console, navigate to:
Computers→Configuration Profiles
Then, click New to initiate the creation of a new profile.
On the General settings page for the new Configuration Profile, define the profile’s identity and determine its scope of deployment.Enter the following required information:
- Name: Provide a clear, descriptive name for the profile (e.g., “Okta Device Access – Dynamic SCEP”).
- Level Selection: It is highly recommended to select the Computer Level to ensure the certificate used for device identification is available to all local accounts.
In the left-hand navigation menu of the configuration profile editor, select the SCEP payload, and then click Configure to begin entering the certificate enrollment details.
The SCEP payload is the mechanism by which macOS requests and receives the necessary client certificates from Okta’s Device Access platform.
- Paste the SCEP URL copied from the Okta Admin Console.
- A descriptive name for the SCEP profile.
- Choose a time frame for the profile to be redistributed when its SCEP-issused certificate is the specified number of days from expiring.
Okta doesn’t support automatic certificate renewal.
The profile must be redistributed to replace the expired certificate. - An appropriate subject name based on the chosen profile level.
CN=$COMPUTERNAME ODA $UDID
Continue scrolling down within the SCEP payload configuration to define the authentication parameters required by Okta’s SCEP endpoint.
Configure the following settings:
- Select Dynamic – Microsoft CA.
- Enter the Challenge URL that was secured from the Okta Admin Console.
- Enter the SCEP Username obtained from Okta.
- Enter the SCEP Password obtained from Okta.
- Re-enter the SCEP Password for confirmation.
The last set of configurations within the SCEP payload dictates the characteristics and security constraints of the certificate being issued.
Complete the SCEP profile settings as follows:
- Set the Key Size field to 2048.
- Select Use as digital signature
- Deselect Allow export from keychain.
- Select Allow all apps access.
- click Save to commit the SCEP configuration profile.
With the SCEP payload fully configured, the last mandatory step is to define the target audience for the profile.
Navigate to the Scope menu and define the deployment targets:
- Target Computers: Select the specific computer groups or static computers that will receive this Platform SSO configuration.
- Target Users: Select the corresponding users or user groups who will be utilizing Okta for authentication on these devices.
Click Save to finalize the configuration profile and initiate its deployment based on the defined scope.
PlatformSSO MDM Profile Configuration in Jamf Pro
This section details the configuration of the definitive Platform Single Sign-On (SSO) MDM profile in Jamf Pro. This profile is the cornerstone of the entire solution, deploying the required identity extension to macOS and activating the crucial features that facilitate the zero-touch experience.
Specifically, this configuration enables foundational capabilities of the Simplified Setup workflow:
- Enabled Registration During Setup: Allows the device to register with the IdP during the Automated Device Enrollment (ADE) process.
- Creating the First User During Setup: Uses the authenticated cloud identity to provision the initial local macOS account.
- Just-in-Time (JIT) Account Creation: Ensures subsequent users can also authenticate with their Okta credentials to create their local accounts on-demand.
Accurate setup of this profile is essential for deploying a truly seamless and modern Mac identity experience.
In the Jamf Pro administrative console, navigate to:
Computers→Configuration Profiles
Then, click the + New button to begin creating the required MDM profile.
Click the General payload tab and enter a clear, descriptive name for the policy, such as Okta PSSO .
Scroll down, click on the Single Sign-On Extensions and click + Add to add a new extension.
Enter the following parameters for the new SSO extension:
- Payload type: SSO
- Extension identifier: com.okta.mobile.auth-service-extension
- Team identifier: B7F62B65BN
- Sign-on type: Redirect
Within the same Single Sign-On Extensions payload, you must specify the necessary Okta endpoints for token management and enable the core Platform SSO functionality.
Under the URLs section, enter the following two distinct Okta endpoints.
These are vital for device registration and token exchange.
- https://<<your-org>>.oktapreview.com/device-access/api/v1/nonce
- https://<<your-org>>.oktapreview.com/oauth2/v1/token
Ensure you replace https://<<your-org>>.oktapreview.com with your organization’s actual Okta domain.
Configure the core settings to activate the macOS Platform SSO framework:
- Use Platform SSO Enabled
- Authentication Method Password
Continue scrolling down the Single Sign-On Extensions payload to configure the settings that activate the zero-touch enrollment and dynamic user creation functionalities.
- Registration Token should be set to a random value as field isn’t used, as the SCEP certificate is used in place of the Registration Token, but must be populated.
- Enable registration during setup
Activates the core Simplified Setup feature, allowing the device to register with Okta during the Setup Assistant. - Create first user during setup
Permits the authenticated Okta user’s identity to provision the first local macOS account directly in the Setup Assistant. - New user creation authentication method select Password
Specifies the authentication method used for new accounts - Enable Use Shared Device Keys
- (Optional) Enable Create New User at Logon
When enabled, this allows users who have not previously logged into the Mac to create a new local account simply by authenticating with their Okta credentials at the standard macOS login window. - Enable Identity Provider Authorization
Enforces that all login and access requests are governed by the policies defined by Okta
Accurate user mapping is essential for Just-in-Time (JIT) account creation, as it dictates how identity provider (IdP) attributes are translated into the properties of the local macOS user account.
Configure the User Mapping settings as follows:
- Set macOSAccountUsername as the AccountName
- Use macOSAccountFullName as the FullName
Next, define the required default privileges for new accounts created via the JIT process:
- Account Authorization Type: Select the desired authorization type for new user accounts (e.g., Standard or Administrator).
In the sidebar of the window, scroll up and click on Associated Domains and Configure.
Click + Add.
The Associated Domains configuration is a critical, security-focused component for Platform SSO. It ensures that the Okta Verify application’s Single Sign-On Extension can securely communicate with and assert identity against your specific Okta organization domain, establishing the necessary trust relationship at the operating system level.
Configure the Associated Domains Payload as follows:
B7F62B65BN.com.okta.mobile.auth-service-extensionB7F62B65BN.com.okta.mobile
This domain must be prefixed with authsrv: to correctly enable the credential transfer between the macOS system and the Okta SSO extension
authsrv:<<your-org>>.oktapreview.com
Enter your organization’s complete Okta domain URL.
Navigate within the Configuration Profile menu to the Applications & Custom Settings payload. Select the Upload option, and then click the + Add button to begin defining the custom payload.
Enter com.okta.mobile for the first preference domain.
You may directly integrate the following snippet into the configuration area of your
Custom Settings payload to define the necessary parameters.
<plist version="1.0">
<dict>
<key>OktaVerify.OrgUrl</key>
<string>https://your-org.oktapreview.com</string>
<key>OktaVerify.UserPrincipalName</key>
<string>$USERNAME</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>CLIENTID</string>
</dict>
</plist>Before deployment, two critical placeholder values within the configuration payload must be updated to align with your specific Okta tenant settings.
Okta Client ID: Substitute CLIENTID with the unique Client ID obtained from the Authentication tab of the Platform Single Sign-On for macOS or Desktop Password Sync application within your Okta Tenant.
Okta Organization URL: Replace the placeholder https://your-org.oktapreview.com with your production Okta organization URL.
The OktaVerify.UserPrincipalName key offers an optional, but highly recommended, mechanism to enhance the user experience by pre-populating the username field in the Okta Sign-In Widget.
- Parameter: OktaVerify.UserPrincipalName
- Value: An environment variable such as
$USERNAME(if supported by your MDM) or a static identifier.
Specifying this value eliminates the need for the user to manually input their Okta username during the registration process, smoothing the onboarding flow.
If this key is omitted, users will be required to type their full username when prompted to sign in for the first time.
Once this configuration block is complete, proceed to add the second necessary preference domain to the profile to continue the full configuration process.
Next, you must add the second required preference domain
com.okta.mobile.auth-service-extension to the configuration profile.
You may directly integrate the following snippet into the configuration area of your Custom Settings payload to define the necessary parameters.
<plist version="1.0">
<dict>
<key>OktaVerify.OrgUrl</key>
<string>https://your-org.oktapreview.com</string>
<key>OktaVerify.UserPrincipalName</key>
<string>$USERNAME</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>CLIENTID</string>
<key>PlatformSSO.ProtocolVersion</key>
<string>2.0</string>
</dict>
</plist>Before deployment, two critical placeholder values within the configuration payload must be updated to align with your specific Okta tenant settings.
Okta Client ID: Substitute CLIENTID with the unique Client ID obtained from the Authentication tab of the Platform Single Sign-On for macOS or Desktop Password Sync application within your Okta Tenant.
Okta Organization URL: Replace the placeholder https://your-org.oktapreview.com with your production Okta organization URL.
Navigate to the Scope tab in the top navigation bar. Under the Selected Deployment Targets section, click the + Add button to define the recipients of this configuration profile.
Deploying Okta Verify to Your Endpoints
Log in to your Okta Admin Console. Navigate to Settings in the main menu, and then select Downloads from the submenu to access the application installers.
Locate the section for Okta Verify for macOS, click the Download button to save the installation package to your local machine.
This downloaded file is the required asset for uploading to your distribution point in Jamf Pro during the next phase of deployment.
Log in to your Jamf Pro console and navigate to Settings → Computer Management → Packages.
Click + New and upload the Okta Verify for macOS package.
Browse your local machine and select the Okta Verify for macOS installation package.
Complete the package details (Name, Display Name).
The Okta Verify application is now staged in your MDM, ready to be added to the PreStage Enrollment for Simplified Setup.
Creating an Enrollment Customization Configuration
In this section, we will set up the Enrollment Customization options within Jamf Pro to enhance and tailor the user experience during Automated Device Enrollment.
By configuring Enrollment Customization settings, we create a reusable configuration that can be applied to a PreStage Enrollment.
This allows us to define specific workflows, settings, and user prompts, further refining the macOS onboarding process for your organization’s unique needs.
In Jamf Pro, click Settings, in the Global section, click Enrollment customization
Click New.
For the Enrollment Customization enter
- Display Name
- Description
- the desired Site
Click Add Pane, and then do the following:
- Enter a Display Name for the pane
- Choose “Single Sign-On Authentication” from the Pane Type
- Choose “Any identity provider user” from the Enrollment Access
- Click Add
Jamf Pro PreStage Enrollment Setup
PreStage Enrollment streamlines the onboarding process by allowing administrators to create predefined configurations and synchronize them with Apple.
This approach minimizes the time and manual effort required to prepare new Macs for deployment, ensuring they are enrolled seamlessly with Jamf Pro right out of the box.
By setting up a PreStage Enrollment, you can define the enrollment parameters and tailor the user experience during the macOS Setup Assistant.
In Jamf Pro, navigate to Computers → PreStage Enrollments and click + New to create a new PreStage
On the General payload, enter a descriptive Name and select your preconfigured Automated Device Enrollment Instance.
Locate and check the box next to Enable Simplified Setup for Platform Single Sign-on, a new required field will appear: Platform Single Sign-on App Bundle ID.
Enter the bundle ID for the Okta Verify SSO Extension: com.okta.mobile
Jamf Pro allows you to streamline the enrollment process by specifying which Setup Assistant screens users should bypass.
When a step is selected for omission, that particular screen is automatically skipped, ensuring a faster and more tailored onboarding experience for the user.
Navigate to the Configuration Profiles payload to associate the necessary MDM settings created earlier and click + Configure.
Add the Platform SSO, the Okta SCEP Certificate Profile and include any other relevant configuration profiles you intend to leverage during the Setup Assistant phase.
Deploying these profiles upfront guarantees that the device’s identity framework, security certificates, and core networking capabilities are in place before the user reaches the final login screen.
Navigate to the Enrollment Packages payload, click + Add
And select the Okta Verify for macOS package that you previously uploaded to Jamf Pro.
Deploying the Okta Verify application as an enrollment package is critical.
The system cannot proceed to the Platform SSO screen in Setup Assistant until this identity-providing application is successfully installed.
Navigate to the Scope tab and click Save.
Ensure the correct scope is defined by assigning the PreStage to the specific Mac devices (or Device Groups) synchronized from Apple Business Manager (ABM) or Apple School Manager (ASM).
Conclusion
The release of macOS 26 (Tahoe), coupled with the introduction of Simplified Setup for Platform SSO, marks a pivotal moment in Apple enterprise management. As our deep dive has shown, this feature fundamentally resolves the historical disconnect between device enrollment and user identity.
Simplified Setup shatters this paradigm: by fully integrating the Platform SSO registration directly into the Setup Assistant, the Mac no longer requires an unmanaged local account to begin.
The resulting workflow is the seamless, identity-first experience IT administrators have long pursued:
- The Mac enrolls via Automated Device Enrollment (ADE).
- The MDM (e.g., Jamf Pro) deploys the required Platform SSO application and profiles.
- The user authenticates with their Okta credentials with a FIDO2 security key before reaching the desktop.
- The first local macOS account is provisioned , inherently linked to the Okta.
This streamlined process delivers the technical assurance of identity-backed security from the first moment of use, eliminating password sync issues and dramatically improving the user’s out-of-box experience.
