Authenticator App For Mac

11/26/2021by admin

Jun 29, 2021 Authenticator App ‎ for PC and Mac. Authenticator generates secure tokens offline from the safety of your device, this way you can authenticate securely even when in airplane mode. Authenticator provides secure cloud 256-bit encryption backups so you will never lose access to your tokens again.

  1. Authenticator App For Macbook
  2. Authenticator App For Mac
  3. Google Authenticator App For Mac
  4. Google Authenticator App For Mac
  5. Microsoft Authenticator App
  • Start BlueStacks App player from your windows or MAC start menu or maybe desktop shortcut. Add a Google account just by signing in, that can take few minutes. To finish, you'll be driven to google play store page this lets you search for Google Authenticator undefined through the search bar and install Google Authenticator for PC or Computer.
  • The device must support and have an installed app that has the Microsoft Enterprise SSO plug-in for Apple devices: iOS 13.0 and later: Microsoft Authenticator app; iPadOS 13.0 and later: Microsoft Authenticator app; macOS 10.15 and later: Intune Company Portal app; The device must be enrolled in MDM, for example, through Microsoft Intune.
  • Authy goes a lot further than Google Authenticator. There are iOS and Android apps, an Apple Watch app, a desktop app for Mac, and a browser plugin for Chrome. To begin with, Authy requires that you confirm your device via a code sent by SMS or phone call.
For
Why the hell was this deleted? What are you hiding????
I've already commented on the Google Play page of the issue and flagged it to google services to get the matter resolved.
I'm now here to further bring to attention that as of recently the Blizzard Authenticator App no longer works for some reason.
I'm not the only one experiencing this either.
The app will not process the authentication after pressing the One Button Option, nor will it proceed with SMS Protect. Furthermore the app is persistent on saying that there is no network connection and as such you are unable to load any relevant pages. Completely unable to restore the app, uninstall and reinstall or even reset.
So for now, I am without this extra layer of security because players are forced to uninstall it completely and remove the authenticator just to be allowed to log in!
Please resolve this ASAP.
'Apsanakune
I am Apsanakune.
I can see you had some problems with the authenticator. Thanks for letting me know and taking your time getting all the information, even posting this on our forums.
I have been looking into this and If you are receiving the error message, 'The webpage is unavailable.' after opening the Blizzard Authenticator app and you have an active internet connection, this error means the Blizzard Authenticator app is not supported on your version of Android. The Blizzard Authenticator app requires Android version 5.0 (Lollipop) or greater.
Please, check your Android device for any available Operating System updates, If no updates are available, you will need to install the Blizzard Authenticator app on a different device running at least Android 5.0
I hope everything goes well!
Have a nice day and good luck!
16 minutes ago
Hi,
So can you try and explain to me why the authenticator app now needs that version of Android?
Why was it changed?
I can not see how in any shape or form it's acceptable to now lock existing users from using the app. Let alone the fix being 'Buy a new device'.
There was no warning of this major change, at least as far as I could tell.
Regards,
Ahriman.
9 minutes ago'
Also to further note.
The App page is still showing it's compatible for my device using Android 4.3 which worked perfectly till recently.
Either there is miscommunication and wrong information or something else is going on here.

To use the Authenticator app, you will have to choose the Switch To App option on the Google webpage. Now open Authenticator, and tap the “+” icon at the top right hand side. This will pop up two options at the bottom of the screen.

I would like to add to this that a more informative response to my ticket was given which I found to be more helpful.
They showed me the history for the Android versions found here: https://en.wikipedia.org/wiki/Android_version_history
Unfortunately though, to which I'm equally amazed and appalled. Is that the developers from Blizzard are the only ones with information on this matter.
So this really needs the attention, preferably from a developer of the authenticator app to come and explain this whole situation.
Especially WHY THIS WAS NOT COMMUNICATED TO USERS.
  1. Now in the search box type ‘Google Authenticator‘ and get the manager in Google Play Search. Click on the app icon and install it. Once installed, find Google Authenticator in all apps in BlueStacks, click to open it. Use your mouse’s right button/click to use this application.
  2. Alternatively, you may be prompted to enter the verification code displayed in the app. The app supports Azure Multi-Factor Authentication and other software tokens such as those used with Microsoft and Google accounts. To get started with the Azure Authenticator app, install the application from the Windows Phone, iOS or Android app store.
Where is the information?
Blizzard literally did a major change without any warning or info provided that could have potentially affected thousands.
WHY DO YOU HAVE ZERO CUSTOMER CARE!?
I may not be a blue community associate, but I can easily explain your scenario and what actually happened. You seem to have an old or outdated device that you'd rather use instead of upgrading. The app no longer works due to an 'update to the terms of use' change that you were not notified about and you require the owner to accept responsibility of the issue and fix your problem for you. It's a simple logic problem that actually requires a compromise of meeting your issue halfway or just stop using it, you'll no doubt call this trolling but you can read the policy here:
[ http://us.blizzard.com/en-us/company/legal/eula.html ]
Stating in Article 9, Section B:
Alterations to the Platform. Blizzard may change, modify, suspend, or discontinue any aspect of the Platform or Accounts at any time, including removing items, or revising the effectiveness of items in an effort to balance a Game. Blizzard may also impose limits on certain features or restrict your access to parts or all of the Platform or Accounts *without notice* or liability.

Yes, you have a need to have your app work, but as a business model your version may have significant security flaws or defects that may allow improper or incorrect use by you or someone impersonating you. There is customer care, but the customer care model is dependent on the consumer base reading the policies before agreement, because it clearly states in the policy that no one is FORCING you to use this product. You are VOLUNTARILY using a product, and don't need support if you don't wish to uphold your end of the agreement, if you don't agree to it, you don't have to use it. It was clearly stated in the first response by an official Blizzard employee that the app 'REQUIRES ANDROID 5.0' on your device, and stating otherwise for your device would have been misinformation. I don't know what device you have as you've not stated above, but if your device is not able to update to the most recent version of the operating system for your device, then to answer your question, 'yes, you may need a new device to load this app.'
As I stated, I'm not a Blizzard employee, but the community does have answers if requested. 'WHY DO YOU HAVE ZERO CUSTOMER CARE!?' is not a question you can ask any business, you'll need to calm down and ask a rational question such as 'is there a forum I can obtain information for any workarounds' or 'I'm not ready to update my device, would you happen to have a '.apk' that I can still use for my device?'
Sorry but no, I don't need to calm down. The experiences I've had with Blizzard are simply just appalling.
I'm going to try my best to respond to a few things you wrote as I do appreciate the fact you provided a nice chunk of information in places. Please bear in mind I may get confused, misinterpret or struggle to write back due to mental health stuff effecting my concentration etc. Sorry for any inconvenience and hope you understand.
You seem to have an old or outdated device that you'd rather use instead of upgrading.

AppYes, seemingly so. Thing is though, it was working just fine and still shows compatibility for my version of Android which is 4.3 (Lollipop). Support staff only speculated the 5.0 version from the only information they had.
you require the owner to accept responsibility of the issue and fix your problem for you.
Quite frankly any notice would have been more then sufficient. However as per usual, Blizzard seem to not get that. The app page shows at least 5 million for Google Play. Would you not agree that a major change should have been communicated considering this could have potentially effected thousands if not more?
Information would have been understandable too just so people know what is going on, even the support department does not have any information (will show this later).
significant security flaws or defects that may allow improper or incorrect use by you or someone impersonating you.

This was summarised when the second support representative attempted to provide a more informative answer with the little knowledge they had. This I understand, not everything is going to be full proof all the time and I did look at the Android history that they linked me.
07/01/2018 01:54 PMPosted by Siido
It was clearly stated in the first response by an official Blizzard employee that the app 'REQUIRES ANDROID 5.0' on your device, and stating otherwise for your device would have been misinformation.
As mentioned above, this was only a guess and speculation supposedly from the only info they had. You can see this for yourself on this image:
- https://imgur.com/AcSBLf0
'is there a forum I can obtain information for any workarounds' or 'I'm not ready to update my device, would you happen to have a '.apk' that I can still use for my device?'

Something along these lines, I had already asked the more helpful representative above. Unfortunately the best suited outcome was to uninstall the app until I can get a new device, which I did before contacting relevant places.
Honestly the thing that frustrates me the most and is my main problem, is simply that Blizzard can not communicate. Not even to their own support department that handles tickets for them. Heck, this topic even got deleted once and then had it's title changed - but no sign of any input from Blizzard.
I can't understand why it's so hard to just write a few words or a few sentences or a paragraph depending on the matter.
I see the lack of intervention across the forums, attention to varying degrees of severity for issues seem to be all backwards and stuff is just left to get buried under the mass of topics.
There's definitely miscommunication as the left hand doesn't know what the right hand is doing on some stuff.
Hi, i am having the same issue with my app, i have 4.4 version of Android, and it was working fine for me up to today. please tell us how to fix this.
Hi, i am having the same issue with my app, i have 4.4 version of Android, and it was working fine for me up to today. please tell us how to fix this.

If Android OS under 5 isn't supported, then there's no fix other than updating your phone or getting a new one that does have a higher Android version. Unless you mean that the one button mode doesn't work rather than that you can't install it, apparently using manual mode should still work.
Hi, i am having the same issue with my app, i have 4.4 version of Android, and it was working fine for me up to today. please tell us how to fix this.
If Android OS under 5 isn't supported, then there's no fix other than updating your phone or getting a new one that does have a higher Android version. Unless you mean that the one button mode doesn't work rather than that you can't install it, apparently using manual mode should still work.
Could you please tell me when this phasing out occurred? Because my authenticator was working as normal 2 days ago.
I've no idea. I saw a blue mention it on another forum, and then this thread. There's also this support article https://us.battle.net/support/en/article/166527 but the error's been showing for people for quite a bit now.
I've no idea. I saw a blue mention it on another forum, and then this thread.

Never been a blue here as far as I'm aware.
Just kinda proves my point of Blizzard negligence. We don't even know for certain about Android Version 5.
Never been a blue here as far as I'm aware.
Just kinda proves my point of Blizzard negligence. We don't even know for certain about Android Version 5.

They don't answer all threads, and they generally take longer/don't answer ones that aren't about the Battle.net app itself. But a blue answered your own thread on the other forum mentioning the Android version 5 thing. https://eu.battle.net/forums/en/bnet/topic/17620272019#post-2
Never been a blue here as far as I'm aware.

Where Is My Authenticator App


Just kinda proves my point of Blizzard negligence. We don't even know for certain about Android Version 5.
But a blue answered your own thread on the other forum mentioning the Android version 5 thing. https://eu.battle.net/forums/en/bnet/topic/17620272019#post-2

Authenticator App For Macbook


Why did they even reply there...
I also noticed the comments of yours that pointed out those boards are the wrong forum boards and I should come here; are gone / deleted. Don't see what for let alone why.
Americas & Southeast Asia
Korea
China
©2019 Blizzard Entertainment, Inc. All rights reserved.
All trademarks referenced herein are the properties of their respective owners.

Microsoft today launched its popular Authenticator iOS app on Apple Watch. It permits owners of Apple’s wearable device to approve log-in requests securely for Microsoft websites and services, no phone required.

A public preview of Authenticator’s companion app for Apple Watch released a few weeks ago. The watchOS component launched this morning as an update to the existing iOS app.

Download Microsoft Authenticator 6.0+ to your iPhone, then install Authenticator’s watchOS app through the companion Watch app on your paired iPhone. This will let you approve sign-in notifications that require PIN or biometric on your Apple Watch, no need to use your phone.

The software supports Microsoft personal, work and school accounts that are set up with push notifications. All supported accounts automatically sync to your Apple Watch. Be sure that your phone and watch are paired, then open the Authenticator app on the watch.

You may be required to tap the Set up button to initialize the app. Approving sign-in notifications from your wrist couldn’t be easier. To see it in action, try signing in to your Microsoft Account protected with two-step verification.

When a notification hits your wrist, you can quickly authorize it from the watch itself by tapping the Approve button. The streamlined process cancels the need to type in a six-digit code. Microsoft considers this watch experience as true two-step verification.

“The first factor is your possession of the watch,” the company explains. “The second factor is the PIN that only you know. When you put the Watch on your wrist in the morning, you will need to unlock it. As long as you don’t remove the Watch from your wrist and it stays within range of your phone, it will stay unlocked—so you don’t need to provide your PIN again.”

For more info, read Authenticator’s FAQ.

Download Microsoft Authenticator for free from App Store.

Other two-factor authentication apps are available on both iPhone and Apple Watch, like the excellent Authy app I’ve been using for years and 1Password, which includes a watchOS component and the ability to generate two-factor authentication codes.

-->

Important

This feature is in public preview. This preview is provided without a service-level agreement and isn't recommended for production workloads. Some features might be unsupported or have constrained capabilities. For more information, see Supplemental terms of use for Microsoft Azure previews.

The Microsoft Enterprise SSO plug-in for Apple devices provides single sign-on (SSO) for Azure Active Directory (Azure AD) accounts on macOS, iOS, and iPadOS across all applications that support Apple's enterprise single sign-on feature. The plug-in provides SSO for even old applications that your business might depend on but that don't yet support the latest identity libraries or protocols. Microsoft worked closely with Apple to develop this plug-in to increase your application's usability while providing the best protection available.

The Enterprise SSO plug-in is currently a built-in feature of the following apps:

  • Microsoft Authenticator: iOS, iPadOS
  • Microsoft Intune Company Portal: macOS

Features

The Microsoft Enterprise SSO plug-in for Apple devices offers the following benefits:

  • It provides SSO for Azure AD accounts across all applications that support the Apple Enterprise SSO feature.
  • It can be enabled by any mobile device management (MDM) solution.
  • It extends SSO to applications that don't yet use Microsoft identity platform libraries.
  • It extends SSO to applications that use OAuth 2, OpenID Connect, and SAML.

Requirements

To use the Microsoft Enterprise SSO plug-in for Apple devices:

  • The device must support and have an installed app that has the Microsoft Enterprise SSO plug-in for Apple devices:
    • iOS 13.0 and later: Microsoft Authenticator app
    • iPadOS 13.0 and later: Microsoft Authenticator app
    • macOS 10.15 and later: Intune Company Portal app
  • The device must be enrolled in MDM, for example, through Microsoft Intune.
  • Configuration must be pushed to the device to enable the Enterprise SSO plug-in. Apple requires this security constraint.

iOS requirements:

  • iOS 13.0 or higher must be installed on the device.
  • A Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple devices must be installed on the device. For Public Preview, these applications are the Microsoft Authenticator app.

macOS requirements:

  • macOS 10.15 or higher must be installed on the device.
  • A Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple devices must be installed on the device. For Public Preview, these applications include the Intune Company Portal app.

Enable the SSO plug-in

Use the following information to enable the SSO plug-in by using MDM.

Microsoft Intune configuration

If you use Microsoft Intune as your MDM service, you can use built-in configuration profile settings to enable the Microsoft Enterprise SSO plug-in:

  1. Configure the SSO app extension settings of a configuration profile.
  2. If the profile isn't already assigned, assign the profile to a user or device group.

The profile settings that enable the SSO plug-in are automatically applied to the group's devices the next time each device checks in with Intune.

Manual configuration for other MDM services

If you don't use Intune for MDM, you can configure an Extensible Single Sign On profile payload for Apple devices. Use the following parameters to configure the Microsoft Enterprise SSO plug-in and its configuration options.

iOS settings:

  • Extension ID: com.microsoft.azureauthenticator.ssoextension
  • Team ID: This field isn't needed for iOS.

macOS settings:

  • Extension ID: com.microsoft.CompanyPortalMac.ssoextension
  • Team ID: UBF8T346G9

Common settings:

  • Type: Redirect
    • https://login.microsoftonline.com
    • https://login.microsoft.com
    • https://sts.windows.net
    • https://login.partner.microsoftonline.cn
    • https://login.chinacloudapi.cn
    • https://login.microsoftonline.de
    • https://login.microsoftonline.us
    • https://login.usgovcloudapi.net
    • https://login-us.microsoftonline.com

More configuration options

You can add more configuration options to extend SSO functionality to other apps.

Enable SSO for apps that don't use a Microsoft identity platform library

The SSO plug-in allows any application to participate in SSO even if it wasn't developed by using a Microsoft SDK like Microsoft Authentication Library (MSAL).

The SSO plug-in is installed automatically by devices that have:

  • Downloaded the Authenticator app on iOS or iPadOS, or downloaded the Intune Company Portal app on macOS.
  • Registered their device with your organization.

Your organization likely uses the Authenticator app for scenarios like multifactor authentication (MFA), passwordless authentication, and conditional access. By using an MDM provider, you can turn on the SSO plug-in for your applications. Microsoft has made it easy to configure the plug-in inside the Microsoft Endpoint Manager in Intune. An allowlist is used to configure these applications to use the SSO plug-in.

Important

The Microsoft Enterprise SSO plug-in supports only apps that use native Apple network technologies or webviews. It doesn't support applications that ship their own network layer implementation.

Use the following parameters to configure the Microsoft Enterprise SSO plug-in for apps that don't use a Microsoft identity platform library.

Enable SSO for all managed apps

  • Key: Enable_SSO_On_All_ManagedApps
  • Type: Integer
  • Value: 1 or 0 .

When this flag is on (its value is set to 1), all MDM-managed apps not in the AppBlockList may participate in SSO.

Enable SSO for specific apps

  • Key: AppAllowList
  • Type: String
  • Value: Comma-delimited list of application bundle IDs for the applications that are allowed to participate in SSO.
  • Example: com.contoso.workapp, com.contoso.travelapp

Note

Safari and Safari View Service are allowed to participate in SSO by default. Can be configured not to participate in SSO by adding the bundle IDs of Safari and Safari View Service in AppBlockList.iOS Bundle IDs : [com.apple.mobilesafari, com.apple.SafariViewService] , macOS BundleID : com.apple.Safari

Enable SSO for all apps with a specific bundle ID prefix

  • Key: AppPrefixAllowList
  • Type: String
  • Value: Comma-delimited list of application bundle ID prefixes for the applications that are allowed to participate in SSO. This parameter allows all apps that start with a particular prefix to participate in SSO.
  • Example: com.contoso., com.fabrikam.

Disable SSO for specific apps

  • Key: AppBlockList
  • Type: String
  • Value: Comma-delimited list of application bundle IDs for the applications that are allowed not to participate in SSO.
  • Example: com.contoso.studyapp, com.contoso.travelapp

To disable SSO for Safari or Safari View Service, you must explicitly do so by adding their bundle IDs to the AppBlockList:

Authenticator App For Mac

  • iOS: com.apple.mobilesafari, com.apple.SafariViewService
  • macOS: com.apple.Safari

Enable SSO through cookies for a specific application

Some apps that have advanced network settings might experience unexpected issues when they're enabled for SSO. For example, you might see an error indicating that a network request was canceled or interrupted.

If your users have problems signing in to an application even after you've enabled it through the other settings, try adding it to the AppCookieSSOAllowList to resolve the issues.

  • Key: AppCookieSSOAllowList
  • Type: String
  • Value: Comma-delimited list of application bundle ID prefixes for the applications that are allowed to participate in the SSO. All apps that start with the listed prefixes will be allowed to participate in SSO.
  • Example: com.contoso.myapp1, com.fabrikam.myapp2

Other requirements: To enable SSO for applications by using AppCookieSSOAllowList, you must also add their bundle ID prefixes AppPrefixAllowList.

Try this configuration only for applications that have unexpected sign-in failures.

Summary of keys

KeyTypeValue
Enable_SSO_On_All_ManagedAppsInteger1 to enable SSO for all managed apps, 0 to disable SSO for all managed apps.
AppAllowListString
(comma-delimited list)
Bundle IDs of applications allowed to participate in SSO.
AppBlockListString
(comma-delimited list)
Bundle IDs of applications not allowed to participate in SSO.
AppPrefixAllowListString
(comma-delimited list)
Bundle ID prefixes of applications allowed to participate in SSO.
AppCookieSSOAllowListString
(comma-delimited list)
Bundle ID prefixes of applications allowed to participate in SSO but that use special network settings and have trouble with SSO using the other settings. Apps you add to AppCookieSSOAllowList must also be added to AppPrefixAllowList.

Settings for common scenarios

  • Scenario: I want to enable SSO for most managed applications, but not for all of them.

    KeyValue
    Enable_SSO_On_All_ManagedApps1
    AppBlockListThe bundle IDs (comma-delimited list) of the apps you want to prevent from participating in SSO.
  • Scenario I want to disable SSO for Safari, which is enabled by default, but enable SSO for all managed apps.

    KeyValue
    Enable_SSO_On_All_ManagedApps1
    AppBlockListThe bundle IDs (comma-delimited list) of the Safari apps you want to prevent from participating in SSO.
  • For iOS: com.apple.mobilesafari, com.apple.SafariViewService
  • For macOS: com.apple.Safari
  • Scenario: I want to enable SSO on all managed apps and few unmanaged apps, but disable SSO for a few other apps.

    KeyValue
    Enable_SSO_On_All_ManagedApps1
    AppAllowListThe bundle IDs (comma-delimited list) of the apps you want to enable for participation in for SSO.
    AppBlockListThe bundle IDs (comma-delimited list) of the apps you want to prevent from participating in SSO.
Find app bundle identifiers on iOS devices

Apple provides no easy way to get bundle IDs from the App Store. The easiest way to get the bundle IDs of the apps you want to use for SSO is to ask your vendor or app developer. If that option isn't available, you can use your MDM configuration to find the bundle IDs:

  1. Temporarily enable the following flag in your MDM configuration:

    • Key: admin_debug_mode_enabled
    • Type: Integer
    • Value: 1 or 0
  2. When this flag is on, sign in to iOS apps on the device for which you want to know the bundle ID.

  3. In the Authenticator app, select Help > Send logs > View logs.

  4. In the log file, look for following line: [ADMIN MODE] SSO extension has captured following app bundle identifiers. This line should capture all application bundle IDs that are visible to the SSO extension.

Use the bundle IDs to configure SSO for the apps.

Allow users to sign in from unknown applications and the Safari browser

By default, the Microsoft Enterprise SSO plug-in provides SSO for authorized apps only when a user has signed in from an app that uses a Microsoft identity platform library like MSAL or Azure Active Directory Authentication Library (ADAL). The Microsoft Enterprise SSO plug-in can also acquire a shared credential when it's called by another app that uses a Microsoft identity platform library during a new token acquisition.

When you enable the browser_sso_interaction_enabled flag, apps that don't use a Microsoft identity platform library can do the initial bootstrapping and get a shared credential. The Safari browser can also do the initial bootstrapping and get a shared credential.

If the Microsoft Enterprise SSO plug-in doesn't have a shared credential yet, it will try to get one whenever a sign-in is requested from an Azure AD URL inside the Safari browser, ASWebAuthenticationSession, SafariViewController, or another permitted native application.

Use these parameters to enable the flag:

  • Key: browser_sso_interaction_enabled
  • Type: Integer
  • Value: 1 or 0

macOS requires this setting so it can provide a consistent experience across all apps. iOS and iPadOS don't require this setting because most apps use the Authenticator application for sign-in. But we recommend that you enable this setting because if some of your applications don't use the Authenticator app on iOS or iPadOS, this flag will improve the experience. The setting is disabled by default.

Disable asking for MFA during initial bootstrapping

By default, the Microsoft Enterprise SSO plug-in always prompts the user for MFA during the initial bootstrapping and while getting a shared credential. The user is prompted for MFA even if it's not required for the application that the user has opened. This behavior allows the shared credential to be easily used across all other applications without the need to prompt the user if MFA is required later. Because the user gets fewer prompts overall, this setup is generally a good decision.

Enabling browser_sso_disable_mfa turns off MFA during initial bootstrapping and while getting the shared credential. In this case, the user is prompted only when MFA is required by an application or resource.

To enable the flag, use these parameters:

  • Key: browser_sso_disable_mfa
  • Type: Integer
  • Value: 1 or 0

We recommend keeping this flag disabled because it reduces the number of times the user is prompted to sign in. If your organization rarely uses MFA, you might want to enable the flag. But we recommend that you use MFA more frequently instead. For this reason, the flag is disabled by default.

Disable OAuth 2 application prompts

The Microsoft Enterprise SSO plug-in provides SSO by appending shared credentials to network requests that come from allowed applications. However, some OAuth 2 applications might incorrectly enforce end-user prompts at the protocol layer. If you see this problem, you'll also see that shared credentials are ignored for those apps. Your user is prompted to sign in even though the Microsoft Enterprise SSO plug-in works for other applications.

Enabling the disable_explicit_app_prompt flag restricts the ability of both native applications and web applications to force an end-user prompt on the protocol layer and bypass SSO. To enable the flag, use these parameters:

  • Key: disable_explicit_app_prompt
  • Type: Integer
  • Value: 1 or 0

We recommend enabling this flag to get a consistent experience across all apps. It's disabled by default.

Use Intune for simplified configuration

You can use Intune as your MDM service to ease configuration of the Microsoft Enterprise SSO plug-in. For example, you can use Intune to enable the plug-in and add old apps to an allowlist so they get SSO.

For more information, see the Intune configuration documentation.

Use the SSO plug-in in your application

MSAL for Apple devices versions 1.1.0 and later supports the Microsoft Enterprise SSO plug-in for Apple devices. It's the recommended way to add support for the Microsoft Enterprise SSO plug-in. It ensures you get the full capabilities of the Microsoft identity platform.

If you're building an application for frontline-worker scenarios, see Shared device mode for iOS devices for setup information.

Google Authenticator App For Mac

Understand how the SSO plug-in works

The Microsoft Enterprise SSO plug-in relies on the Apple Enterprise SSO framework. Identity providers that join the framework can intercept network traffic for their domains and enhance or change how those requests are handled. For example, the SSO plug-in can show more UIs to collect end-user credentials securely, require MFA, or silently provide tokens to the application.

Native applications can also implement custom operations and communicate directly with the SSO plug-in. For more information, see this 2019 Worldwide Developer Conference video from Apple.

Applications that use MSAL

MSAL for Apple devices versions 1.1.0 and later supports the Microsoft Enterprise SSO plug-in for Apple devices natively for work and school accounts.

You don't need any special configuration if you followed all recommended steps and used the default redirect URI format. On devices that have the SSO plug-in, MSAL automatically invokes it for all interactive and silent token requests. It also invokes it for account enumeration and account removal operations. Because MSAL implements a native SSO plug-in protocol that relies on custom operations, this setup provides the smoothest native experience to the end user.

If the SSO plug-in isn't enabled by MDM but the Microsoft Authenticator app is present on the device, MSAL instead uses the Authenticator app for any interactive token requests. The SSO plug-in shares SSO with the Authenticator app.

Applications that don't use MSAL

Applications that don't use a Microsoft identity platform library, like MSAL, can still get SSO if an administrator adds these applications to the allowlist.

You don't need to change the code in those apps as long as the following conditions are satisfied:

Google Authenticator App For Mac

  • The application uses Apple frameworks to run network requests. These frameworks include WKWebView and NSURLSession, for example.
  • The application uses standard protocols to communicate with Azure AD. These protocols include, for example, OAuth 2, SAML, and WS-Federation.
  • The application doesn't collect plaintext usernames and passwords in the native UI.

In this case, SSO is provided when the application creates a network request and opens a web browser to sign the user in. When a user is redirected to an Azure AD sign-in URL, the SSO plug-in validates the URL and checks for an SSO credential for that URL. If it finds the credential, the SSO plug-in passes it to Azure AD, which authorizes the application to complete the network request without asking the user to enter credentials. Additionally, if the device is known to Azure AD, the SSO plug-in passes the device certificate to satisfy the device-based conditional access check.

To support SSO for non-MSAL apps, the SSO plug-in implements a protocol similar to the Windows browser plug-in described in What is a primary refresh token?.

Compared to MSAL-based apps, the SSO plug-in acts more transparently for non-MSAL apps. It integrates with the existing browser sign-in experience that apps provide.

The end user sees the familiar experience and doesn't have to sign in again in each application. For example, instead of displaying the native account picker, the SSO plug-in adds SSO sessions to the web-based account picker experience.

Next steps

Microsoft Authenticator App

Learn about Shared device mode for iOS devices.

Comments are closed.