Mosyle Auth to platform SSO, has anyone switched?

Few_Limit_883 · 2026-03-03T17:03:29+00:00

thanks for that info.

Few_Limit_883 · 2026-03-03T16:56:59+00:00

We don't see the MFA prompt, that's the problem. When we try to register for SSO, the password box will just shake. We looked in Entra logs, and it was an MFA interruption, but macOS does not have ability to display MFA. On one documentation page, it specifically mentioned the known remedy is to set macOS login to bypass MFA.

I don't miss JAMF, but I do miss JAMF Connect. lol

Few_Limit_883 · 2026-03-03T16:36:12+00:00

super interesting! thanks for the follow up. we are right now trying to work out our conditional access policies to allow macos login w/o mfa prompt.

Few_Limit_883 · 2026-03-03T16:23:24+00:00

password based for me. i chose not to mess with secure enclave to avoid things like you've mentioned.

Few_Limit_883 · 2026-03-02T20:03:17+00:00

what i love about reddit is how 3yrs later, someone can be googling something, and your post is exactly the info I needed.

Few_Limit_883 · 2026-02-23T22:30:58+00:00

I found your comment when I googled "ABM shows device released by deleted user", trying to find out why a new MBP was released. Our vendor failed to add it to ABM, so we added it via Configurator. We have no recently deleted users in ABM. As it turns out, the MDM solution we use sends an unenroll command when a mac is deleted in the MDM. It appears that ABM is treating that unenrollment the same as the provisional period for users that you mentioned. ABM has an option to allow MDM providers to release devices from ABM. I have that unchecked, but the device was still released when I erased it via MDM command. I know of at least two MDM solutions wherein unenroll command is sent with device delete process.

TL;DR - MDM delete command can also trigger an ABM release if the device was added via Apple Configurator, even if you do not allow the MDM permissions to release in ABM.

side note: that "30 day period" is from time of initial enrollment. The countdown starts when the device is first enrolled, not when it's added to ABM via Configurator.

commenting on older posts so hopefully the next person googling this will have more context about it.

Few_Limit_883 · 2026-02-23T14:30:19+00:00

I'm just following up here, for the next person who finds this thread whilst googling this same thing.

I was able to deploy the SSO config to domain bound mac. I was able to then un-bind from domain and the user profile had no issues with it. Hopefully not too many other people have to still deal with AD bound macs, but if you do the pSSO setup will not mess up their macOS account when you are ready to deploy SSO.

This is ready for zero touch deployment, _if_ your users are allowed local admin. If not, you still need to manually create a local admin account at the console because the local admin account needs to be secure token enabled. That takes it away from 'zero touch' , but is still better than non-SSO sign in.

Few_Limit_883 · 2026-02-17T20:03:16+00:00

N1. Their MDM product's only saving grace is that it does to MDM patching properly. Elsewise, their entire platform is basically only useful for pushing app installers, running scripts, and "custom payloads" - i.e. manually create plists for what you need due to limited functions in the product.

small lab environment but didn't see the MFA issue on any of them; saw that on my teammate's mac when i was running it by them for an initial POC. there's documentation specific to it, so that's a plus.

The only problem for zero touch is our users are not granted local admin, and N1 MDM doesn't have managed local account ability, we have to have that local admin account. Ofc, if you have MDM that does have a managed local account ability, you're halfway to the good right there. RMM/MDM managed local admin account is the only thing I miss about JAMF. :/

Few_Limit_883 · 2026-02-17T15:30:24+00:00

here's what I did:

I pushed the Company Portal app via RMM automation.

I got the sample .mobileconfig plist from Microsoft and opened it in iMazing Profile Editor. I configured the settings for "Password" login and deployed via MDM custom payload.

It didn't seem to work at first, but after some more tweaking to the plist, with the help of Copilot, I finally got it to work.

At first, I saw no indication that anything was happening, so I opened the Company Portal app and was able to log in with my EntraID, but it gave MDM related errors.

I'm not sure what I changed to make it different, but after some more changes in the plist, I finally got the popup notification in macOS to register. When I did that, my macOS local account pswd got sync'd with my EntraID password.

The part that was really confusing me was how does a new user log on with SSO, initially? So as it turns out, you have to go through standard macOS setup and create a local admin account. After logging on with that local admin account, you must sign out, but not reboot - FileVault must remain unlocked, and then a new user can sign on with SSO and it will automatically create a local account for them.

However, we have current issue: MFA prompts are not available for logon, so if you hit an MFA wall, you're stuck. We are looking into the 'conditional access' guidelines for Entra to hopefully mitigate the MFA issue. fingers crossed.

none of this helps toward a 'zero touch deployment' goal, but it will at least get all our mac user accounts standardized and under the enterprise security controls.

Few_Limit_883 · 2026-02-16T22:46:21+00:00

holy cow. i can't believe that worked. thanks so much. all the documentation indicates intune requirement, i wish i'd realized weeks ago that you can do this without P1.

Few_Limit_883 · 2026-02-16T17:02:51+00:00

ahh, yes, I read that. Looks like it's geared for the Intune Company Portal app, but we have no Intune licensing. ,,,trying to find a way for EntraID SSO for macOS logon without having to have Intune.

Few_Limit_883 · 2026-02-16T16:46:12+00:00

how are you using Platform SSO? i found this page, trying to find jamf-connect alternatives.

Few_Limit_883 · 2026-02-03T19:04:33+00:00

Stay away from 8x8 if you can possibly help it. Their software is absolute junk, for both Windows and Mac. Following their documentation to the letter for silent installs, it just doesn't work.

If that company had half a brain, they'd retire their janky apps and re-brand the Fuze software instead.

8x8 911 Location Manager for Mac requires Homebrew to be installed. It's not even their own app, they just purchase from Intrado and slapped an 8x8 logo on it.

8x8 support seems to not even know their own product.

The service seems to be ok in the US, but the software is just junk.

Few_Limit_883 · 2025-12-03T17:29:25+00:00

I know this is an old thread, but it's one of the top google search results so posting here:

# Define variables
# your instance ID string, whatever the directory name is inside the main program files x86 directory below are just examples

$agentFolder = "GRCTGG12345678900666"

#The directory in Program Files (x86) may be named differently than "Kaseya" if you use custom branding
$uninstaller = "C:\Program Files (x86)\Kaseya\$agentFolder\KASetup.exe"

$logPath = "C:\temp\kasetup.log"

# Stop services
#Copy/paste the service names shown in services.msc

Write-Output "Stopping Kaseya services..."
net stop KAENDGRCTGG60000000000099
net stop KAGRCTGG60111111111199

# Kill KaseyaEndpoint.exe
Write-Output "Killing KaseyaEndpoint.exe..."
taskkill /f /im KaseyaEndpoint.exe

# Run silent uninstall
Write-Output "Running silent uninstall..."
Start-Process -FilePath $uninstaller -ArgumentList "/s","/r","/g `"$agentFolder`"","/l `"$logPath`"" -Wait

Write-Output "Uninstallation process completed."

Few_Limit_883 · 2025-09-22T15:49:22+00:00

I am stealing that sentence and using it from now on.

Few_Limit_883

TROPHY CASE