top of page
Search

Enabling SSO for Chrome using Intune (macOS)

  • Writer: Gareth Oxendine
    Gareth Oxendine
  • Jul 23, 2024
  • 5 min read

Updated: May 15

Introduction

Chrome is currently the most popular browser, so end users must experience a seamless single sign-on experience. For users to experience SSO while using Chrome, you can use Intune to deploy and configure the following two things:

  • The Microsoft Enterprise SSO App Extension

  • The Chrome Microsoft SSO Browser Extension


Today, we'll review how to use Intune to enable SSO for Chrome with Entra ID as the IDP. Let's begin!



Table of Contents



A Description of the Components Involved

As mentioned above in the summary, two components are needed for SSO to work with Google Chrome. What exactly are these two components? See a brief description of both below:


The Microsoft Enterprise SSO App Extension

First, let's review what an app extension is. Apple allows applications to extend their functionality and data outside of themselves by providing the app extension framework. Simply put, the framework enables applications to offer their content and services to other apps. The Authentication Services app extension framework enables an application to provide its redirect SSO or credential SSO services so the user doesn't have to enter the same credentials multiple times.


Microsoft created an app extension for their Enterprise SSO plugin for the purpose of SSO. When the Company Portal application is installed on a device, the enterprise SSO plugin is also installed. Here is how it works:

  • Microsoft uses Apple's authentication services app extension framework to redirect applications' or websites' login requests to the Microsoft Enterprise SSO plugin (installed when you install the Company Portal app).

  • The Microsoft Enterprise SSO plugin will then facilitate the login process with the IDP and send back the response and tokens.


To summarize, the Microsoft Enterprise SSO plug-in is installed when the Intune Company Portal application is installed. By having the plugin installed on a macOS device, you can now deploy and configure the SSO app extension (the plugin's app extension that facilitates the login process for other apps and websites, providing an SSO experience for the user).


The Chrome Microsoft SSO Browser Extension

Microsoft created a browser extension for Chrome to help facilitate SSO. You can find and install this extension in the Google Chrome Web Store.



Deployment Process


Part 1: Prerequisites

Before SSO will work in Chrome, ensure that the following requirements are met:

  • Devices are running macOS 10.15 or newer.

  • Devices have the Intune Company Portal app installed.

  • Devices are enrolled in Intune.



Part 2: Deploy the Chrome SSO Browser Extension

Microsoft provides an SSO browser extension in the Chrome Web store; we'll need to deploy it to the macOS devices in your environment. One option is to create a custom PLIST file for Chrome and deploy it using an Intune configuration profile. Below are the steps, but if you'd like to learn more about deploying PLIST files to macOS devices, check out the article below:


Step A

Copy the XML code below and paste it into a program like Xcode, TextEdit, or Visual Studio Code. Save the file with either a .plist or .xml file extension; it does not matter which one you choose.

Step B

Deploy the PLIST file using an Intune configuration profile. See the steps below:

Creating a macOS Preference File using a Configuration Profile template.




  • Launch the Intune portal.

  • Select Devices in the left-hand menu blade.

  • Select macOS > Configuration (expand Manage Devices)

  • Select + Create > + New Policy

    • Platform: macOS

    • Profile type: Templates > Preference file

  • Select Create.


Adding the preference domain name and uploading the PLIST file to the preference file configuration profile using Intune.



















  • Preference Domain Name: com.google.Chrome

  • Property List File: select the folder icon to search for and upload the plist/xml file you copied and saved earlier.

Once done, select Next, choose the device assignment, and create the app deployment.

IMPORTANT:

Even though your devices successfully receive the configuration profile, they may need to restart before seeing the changes.


Part 3: Deploy the Company Portal App

I know this was listed as a prerequisite, but now would be a good time to double-check that all of your targeted macOS devices have the Intune Company Portal App installed. Click here to download the latest version.



Part 4: Create the Enterprise SSO App Extension Configuration Profile

There are two options when creating the configuration profile to configure and activate Microsoft's enterprise SSO app extension. See the options below:

  1. Option 1: Deploy a Standalone Configuration Profile

    1. Use this option if you don't want or need to also deploy platform SSO to your devices.

    2. Click here to view Microsoft's step-by-step guide on creating and deploying this profile.

  2. Option 2: Deploy with the Platform SSO Configuration Profile

    1. Platform SSO allows you to sync a macOS device's local login password with a user's Entra ID credential. The Intune configuration profile for Platform SSO also includes the settings that configure and activate the enterprise SSO app extension.

    2. To learn more about Platform SSO and how to configure and deploy it, view the following article: Deploying Platform SSO using Intune.



Part 5: End Result (Testing)

Once Parts 1-4 are completed and a device has successfully received the configurations, SSO should be activated for all supporting applications (especially Chrome) and websites. To test, a user should be able to navigate to https://portal.office.com and not have to sign in. If this is not the case, see the troubleshooting section below.



Troubleshooting

If you have done all of the steps above and Chrome still does not allow SSO (e.g. the user is asked to provide credentials to Office), then most likely the Company Portal application is missing a needed JSON file. View the potential solutions below:


  1. Option 1: Uninstall/Reinstall the Company Portal Application

    1. Uninstall the application from the user's device.

    2. Click here to download the latest version of the Intune Company Portal App.

    3. Reinstall the app.

    4. Check the following file path to see if the JSON file exists: ~/Library/Application\ Support/Google/Chrome/NativeMessagingHosts/com.microsoft.browsercore.json

  2. Option 2: Deploy a Script that Copies the JSON File

    1. Rather than uninstalling and reinstalling the application, you can copy the JSON file to the appropriate location.

    2. You can run the script below interactively on the device or use Intune to deploy it. For a refresher on deploying bash scripts using Intune, view the article below: Deploying and Troubleshooting Bash or SH Scripts using Intune (macOS)


Never Miss a Post. Subscribe Now!

Want to be notified whenever a new article is posted? Enter your email address and subscribe!

Thanks for submitting!

Donate to the Blog?

We hope the blog was helpful to you! If so, we'll take a donation as a form of thanks! :) 

© 2024 by DMTT. Powered and secured by Wix

$

Thank you for your donation!

bottom of page