Apple Platform Deployment
- Welcome
- Intro to Apple platform deployment
- What’s new
-
-
- Declarative status reports
- Declarative app configuration
- Authentication credentials and identity asset declaration
- Background task management declarative
- Calendar declarative configuration
- Certificates declarative configuration
- Contacts declarative configuration
- Exchange declarative configuration
- Google Accounts declarative configuration
- LDAP declarative configuration
- Legacy interactive profile declarative configuration
- Legacy profile declarative configuration
- Mail declarative configuration
- Math and Calculator app declarative configuration
- Passcode declarative configuration
- Passkey Attestation declarative configuration
- Safari extensions management declarative configuration
- Screen Sharing declarative configuration
- Service configuration files declarative configuration
- Software Update declarative configuration
- Software Update settings declarative configuration
- Storage management declarative configuration
- Subscribed Calendars declarative configuration
-
-
- Accessibility payload settings
- Active Directory Certificate payload settings
- AirPlay payload settings
- AirPlay Security payload settings
- AirPrint payload settings
- App Lock payload settings
- Associated Domains payload settings
- Automated Certificate Management Environment (ACME) payload settings
- Autonomous Single App Mode payload settings
- Calendar payload settings
- Cellular payload settings
- Cellular Private Network payload settings
- Certificate Preference payload settings
- Certificate Revocation payload settings
- Certificate Transparency payload settings
- Certificates payload settings
- Conference Room Display payload settings
- Contacts payload settings
- Content Caching payload settings
- Directory Service payload settings
- DNS Proxy payload settings
- DNS Settings payload settings
- Dock payload settings
- Domains payload settings
- Energy Saver payload settings
- Exchange ActiveSync (EAS) payload settings
- Exchange Web Services (EWS) payload settings
- Extensible Single Sign-on payload settings
- Extensible Single Sign-on Kerberos payload settings
- Extensions payload settings
- FileVault payload settings
- Finder payload settings
- Firewall payload settings
- Fonts payload settings
- Global HTTP Proxy payload settings
- Google Accounts payload settings
- Home Screen Layout payload settings
- Identification payload settings
- Identity Preference payload settings
- Kernel Extension Policy payload settings
- LDAP payload settings
- Lights Out Management payload settings
- Lock Screen Message payload settings
- Login Window payload settings
- Managed Login Items payload settings
- Mail payload settings
- Network Usage Rules payload settings
- Notifications payload settings
- Parental Controls payload settings
- Passcode payload settings
- Printing payload settings
- Privacy Preferences Policy Control payload settings
- Relay payload settings
- SCEP payload settings
- Security payload settings
- Setup Assistant payload settings
- Single Sign-on payload settings
- Smart Card payload settings
- Subscribed Calendars payload settings
- System Extensions payload settings
- System Migration payload settings
- Time Machine payload settings
- TV Remote payload settings
- Web Clips payload settings
- Web Content Filter payload settings
- Xsan payload settings
-
- Glossary
- Document revision history
- Copyright
Extensible Single Sign-on Kerberos device management payload settings for Apple devices
Use the Extensible Single Sign-on Kerberos payload to define extensions for multifactor user authentication for users of an iPhone, iPad, Shared iPad, Mac, or Apple Vision Pro that enrolls in a device management service.
This extension is for use by organizations to deliver a seamless experience as users sign in to apps and websites. When this payload is properly configured using a device management service, the user authenticates once, then gains access to subsequent native apps and websites automatically. Some of the features you can use with the Extensible Single Sign-on Kerberos payload are:
Authentication with user name and password or for example, smart cards
Per-app VPN
Password expiration notifications
Password changes
Because you can use this payload on the user channel, device management service developers can bundle per-user settings for SSO—for example, the user-level certificate identities for use with certificate-based Kerberos or PKINIT.
Supported approval method: Requires user approval.
Supported installation method: Requires a device management service to install.
Supported payload identifier: com.apple.extensiblesso(kerberos)
Supported operating systems and channels: iOS, iPadOS, Shared iPad user, macOS device, macOS user, visionOS 1.1.
Supported enrollment methods: User Enrollment, Device Enrollment, Automated Device Enrollment.
Duplicates allowed: True—more than one Extensible Single Sign-on Kerberos payload can be delivered to a user or device.
You can use the settings in the table below with the Extensible Single Sign-on Kerberos payload.
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Extension identifier | The unique bundle ID for the app. This needs to be com.apple.AppSSOKerberos.KerberosExtension. | Yes | |||||||||
Team identifier | The unique team ID for the app. This needs to be apple. | Yes | |||||||||
Sign-on type | This value needs to be Credential. | Yes | |||||||||
Realm | The full Kerberos realm where the user’s account is located. | Yes | |||||||||
Hosts | Approved domains that can be authenticated with the app extension. | No | |||||||||
Extension data | This is the dictionary used by the Apple built-in Kerberos extension. | No | |||||||||
Note: Each device management service developer implements these settings differently. To learn how various Extensible Single Sign-on Kerberos settings are applied to your devices and users, consult your developer’s device management service documentation.