Skip to main content

Configuring Google Chrome on macOS for Platform Single Sign-On

·
Intune macOS Configuration Custom Profiles Security Conditional Access Platform SSO
Author
Nick Benton
Principal Cloud Endpoint Consultant | Intune Blogger
Table of Contents

So it’s finally here, after all the coming soon announcements, and the promise that we can use Entra ID authentication methods on macOS devices, we now have Platform SSO at our disposal in Microsoft Intune, well at least in Public Preview.

I’m not going to deep dive into configuring Platform SSO as I’ll assume you’ve either already had a go yourself, or found someone else who has, as honestly it’s now a massive selling point of moving macOS devices into Microsoft Intune away from other MDM solutions.

Now we can use Entra ID account for SSO on the macOS device itself, what about our good friend the web browser, and in particular Google Chrome?

Browser Support
#

If like me you’ve been patiently waiting for Platform SSO to appear, you’ve probably already looked at the pre-requisites for configuration, so let’s just assume you’ve done these already, or you’re a least aware of them, and if you haven’t sorted them, crack on and sort yourself out.

The bit we’re interested in is the supported browsers, and shock, both Microsoft Edge and Safari are supported out the box already (ish). Google Chrome however needs a little more convincing, as it does on Windows, to work with Single Sign On configurations.

Platform SSO requires you install and enable the Windows Accounts extension. You can add the app to Intune, and assign it to the devices that use Google Chrome.

That last line is interesting though Microsoft, as deploying Google Chrome extensions isn’t as easy as click click next OK.

Luckily though, Microsoft have provided links to setting up Google Chrome on macOS and how to configure the forced installation of extensions which we’ll be utilising to make Google Chrome and Platform SSO play nicely.

Configuring this extension will not only improve the users sign-in experience, but allow for the use of Conditional Access Policies when using Google Chrome:

macOS devices using the Enterprise SSO plugin require the Microsoft Single Sign On extension to support SSO and device-based Conditional Access in Google Chrome.

Platform SSO Configuration
#

Yes, I did say I wasn’t going to dig into the Platform SSO configuration, but without actually configuring it we’re not going to be able to utilise the authentication method into Google Chrome, so if you cba following the Microsoft Learn article have a look at the below, and the exported JSON which you can import into your own Microsoft Intune tenant if you’re lazy productive with your time.

Category Setting Value
Authentication Authentication Method (Deprecated) UserSecureEnclaveKey
Authentication Screen Locked Behavior Do Not Handle
Authentication Registration Token {{DEVICEREGISTRATION}}
Authentication Team Identifier UBF8T346G9
Authentication Extension Identifier com.microsoft.CompanyPortalMac.ssoextension
Authentication Type Redirect
Authentication URLs https://login.microsoftonline.com
https://login.microsoft.com
https://sts.windows.net
https://login-us.microsoftonline.com
https://login.microsoftonline.us
Authentication > Platform SSO Account Display Name MEM v ENNBEE Account
Authentication > Platform SSO Authentication Method UserSecureEnclaveKey
Authentication > Platform SSO Enable Authorization Enabled
Authentication > Platform SSO Enable Create User At Login Enabled
Authentication > Platform SSO Login Frequency 64800
Authentication > Platform SSO New User Authorization Mode Standard
Authentication > Platform SSO Use Shared Device Keys Enabled
Authentication > Platform SSO User Authorization Mode Standard

This settings catalog profile is configured to use UserSecureEnclaveKey for Passwordless authentication, but feel free to amend any other settings in the Microsoft Learn article as you see fit.

Assigning this to a group of test devices, yes I do actually test things, you should get the glorious device registration and sign-in experience with Entra ID credentials we’ve all been after.

If you encounter issues with the Entra Join and registration, have a look at the troubleshooting guide for Platform SSO, specifically the Entra Join permissions.

Google Chrome Deployment
#

With the Platform SSO configuration setup and deployed, we can now focus our attention on how we manage Google Chrome on macOS devices, including delivering the app, as well as configuring it to support the required Microsoft Single Sign On extension.

I shouldn’t be teaching you all to suck eggs, but for completions sake, we should probably go through deploying Google Chrome to your Microsoft Intune enrolled macOS devices, and we’ve got a couple of ways to do this, depending on whether you want to force install this on your end user devices, or allow the app to be installed by the user.

Required App Deployment
#

If you just want to get the latest version of Google Chrome out there to all assigned devices, then the easiest approach is to use a Shell Script and in particular the one in the shell-intune-samples GitHub repository, which will run on a device, got get the latest Google Chrome version download, and install it.

Setting Value
Upload Script installGoogleChrome.zsh
Run script as signed-in user No
Hide script notifications on devices Not configured
Script frequency Not configured
Max number of times to retry if script fails 3 times

Shell Script for Google Chrome deployment
Shell Script for deploying Google Chrome to macOS devices in Microsoft Intune..

After your assigned group of test devices check in to Microsoft Intune and the script runs successfully, your devices should download and install Google Chrome.

If you want to see progress or errors with the script, the script log file is located in /Library/Logs/Microsoft/IntuneScripts/GoogleChrome on the targetted macOS device.

Available App Deployment
#

If you want to make the app available to your end users via the Company Portal, and who doesn’t love self-service, then go ahead and download the pkg installer.

As we’re looking to make the app available our only option in Microsoft Intune is to upload the file using the Line-of-business app, as pkg apps although great for pre and post deployment scripts, don’t give the option for making apps available in the Company Portal.

Setting Value
Select file GoogleChrome.pkg
Name Google Chrome
Description Chrome is the official web browser from Google, built to be fast, secure and customisable. Download now and make it yours
Publisher Google
Minimum operating system Catalina 10.15
Ignore app version Yes
Install as managed No
Included apps com.google.Chrome 124.0.6367.119
Publisher Google

Line-of-business app for Google Chrome deployment
Line-of-business app for deploying Google Chrome to macOS devices in Microsoft Intune.

Deploying this app to a group of users, will allow your end users to select the option to install Google Chrome on their macOS device from the Company Portal:

Google Chrome in the Company Portal
Company Portal available apps.

Two of many potential methods to install Google Chrome now sorted, onto what we’re here for in the single sign on configuration.

Google Chrome Configuration
#

Google being quite a large enterprise, realise that you might want to actually configure Google Chrome on your devices, and give you examples of property list files for configuring the app on macOS devices as part of their Chrome Browser bundle, but we’re looking for specific settings today, around the requirement to force install a specific of extension to support Platform SSO.

Custom Configuration Profiles
#

Using the examples provided by Google, we have a basis to create our custom mobileconfig file, which when complete, can be uploaded to Microsoft Intune and deployed to our macOS devices.

As we’re focusing solely on the forced installation of the Microsoft Single Sign On extension, we can strip out everything else from the example, and can update the configuration file to install the extension we want.

We need to update the settings under the key installation_mode setting the string value to force_installed, this in conjunction with the ID of the extension we want to force install ppnbnpeolgkicgegkbkbjmhlideopiji (which we can get from the extension URL itself), allows us to configure a custom profile for Google Chrome to ensure that the extension that unlocks all the Platform SSO goodness is deployed to devices with Google Chrome installed.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>PayloadContent</key>
    <array>
      <dict>
        <key>PayloadContent</key>
        <dict>
          <key>com.google.Chrome</key>
          <dict>
            <key>Forced</key>
            <array>
              <dict>
                <key>mcx_preference_settings</key>
                <dict>
                  <key>ExtensionSettings</key>
                  <dict>
                    <key>ppnbnpeolgkicgegkbkbjmhlideopiji</key>
                    <dict>
                      <key>installation_mode</key>
                      <string>force_installed</string>
                      <key>update_url</key>
                      <string>https://clients2.google.com/service/update2/crx</string>
                    </dict>
                  </dict>
                </dict>
              </dict>
            </array>
          </dict>
        </dict>
        <key>PayloadDisplayName</key>
        <string>Google Chrome Platform SSO Extension Settings</string>
        <key>PayloadEnabled</key>
        <true/>
        <key>PayloadIdentifier</key>
        <string>com.google.Chrome.extensions.platformsso</string>
        <key>PayloadType</key>
        <string>com.apple.ManagedClient.preferences</string>
        <key>PayloadUUID</key>
        <string>0f644bb2-a1e0-4a90-a093-934f32e126de</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
      </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Google Chrome Configuration</string>
    <key>PayloadDisplayName</key>
    <string>Google Chrome Configuration</string>
    <key>PayloadIdentifier</key>
    <string>com.google.Chrome</string>
    <key>PayloadOrganization</key>
    <string>MEM v ENNBEE</string>
    <key>PayloadRemovalDisallowed</key>
    <true/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>a01d7a80-6db0-4392-a8a9-989147fb2aa1</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
  </dict>
</plist>

The other settings in the profile ensure that the profile is installed in the system context and cannot be removed by an end user.

The PayloadUUID keys should be unique to your environment, so go ahead and generate new ones for your own profile.

Custom Template
#

Now armed with our saved mobileconfig profile, we can create a new macOS Configuration Profile, using the Template profile type, and selecting Custom, giving the profile a name by smashing your hand on the keyboard aligned to your naming convention, we can then complete the remaining sections of the profile uploading the mobileconfig profile we saved previously:

Setting Value
Custom configuration profile name Google Chrome Platform SSO Profile
Deployment channel Device channel
Configuration profile file GoogleChromepSSO.mobileconfig

Microsoft Intune Custom Profile
Custom Profile in Microsoft Intune for macOS.

Give the configuration profile a suitable name, I’ve gone with Google Chrome Platform SSO Profile, as really you’re only going to see this on the device itself under the Profile section of System Preferences.

As the custom profile sets the PayloadScope as System our Deployment channel should be set to Device channel.

We should probably assign this profile to our test devices, so go ahead and do that, and after a while we should get some greens:

Microsoft Intune Custom Profile Report
Custom Profile Report in Microsoft Intune for macOS.

Checking on the assigned macOS 14 test device itself under System Preferences > Privacy & Security > Profiles we can see the profile has installed correctly:

macOS Profile Installation
The profile installed under System Preferences.

One last thing to look at, and that’s the extensions in Google Chrome itself:

Google Chrome Installed Extensions
Google Chrome installed extensions.

It is, and the user is unable to disable or remove it, as why would we want them to?

So what does SSO look like on Google Chrome with Secure Enclave key authentication? Well it’s the same process as with Microsoft Edge and Safari:

  • A user opens the browser and accesses a Microsoft Entra authenticated service such as outlook.office.com.
  • If there is a valid token for the user, the user is not prompted to sign-in to the service, otherwise re-authentication with TouchID is required before access.
  • Subsequent login prompts to Microsoft Entra authenticated services like teams.microsoft.com are now automatically passed through using SSO.

All that to make browser sign-ins a little easier and to allow for the use of Conditional Access Policies 😅.

If you encounter issues with Google Chrome SSO, please refer to the Microsoft Learn documentation.

Summary
#

Platform SSO on macOS in Microsoft Intune is a big thing, it’s likely the last hurdle or excuse people were using to stay away from using a Microsoft product to manage an Apple device.

If you’re already in bed with Microsoft and associated services, then something as trivial as where your precious Apple devices are managed shouldn’t be stopping you from jumping two footed straight into enrolling your macOS devices into Microsoft Intune, especially now that you can use Entra ID authentication across them.

On top of this, we can now configure the most used browsers on a macOS device to leverage and make use of Platform SSO, to stop users from being bogged down with sign-in prompts that their colleagues on low-spec Windows laptops don’t have to deal with.

It’s a win win in my books.

Related

Using Entra ID Device Attributes for Conditional Access Exceptions
Intune PowerShell Graph API Security Conditional Access Automation
Software Update Deployment Rings for Managed macOS Devices
Intune macOS Software Updates Dynamic Groups Security National Cyber Security Centre (NCSC)
Remediating BitLocker DMA Exception Errors with Microsoft Intune
Intune Windows 10 and later BitLocker PowerShell Security Direct Memory Access