MICROSOFT 365 SSO ON IOS AND IPADOS


One of the common business challenges is to simplify the life of the employees, adopting one or more Single Sign On solutions.

What is Single Sign On (SSO)?

Single Sign On is a solution that let to use a unique user account across all the company’s services and software tools. The employee has to know only one username and one password to login into the email, ERP or wifi network.

A lot of companies uses Office 365, Microsoft 365 or Azure and they want to extend SSO onto all the mobile devices’ fleet.

Thanks to an MDM like Ermetix UEM, administrators can manage Microsoft SSO from the enrollment to the user enviroment.

Zero-touch Enrollment and Managed Apple ID

Thanks to Apple Business Manager or Apple School Manager, devices can be configured in a blink of an eye. In fact, after connecting Apple portal with Ermetix UEM, devices must be switched on and it will receive automatically all the configurations over-the-air.

Admin has to enable Azure federation on Apple Business Manager. As a result, users can leverage their Azure AD usernames (User Principal Name) and passwords as Managed Apple IDs.

Apple Business Manager with Azuere federated authentication

MDM Configuration

Ermetix UEM allows integration with Azure on Ermetix Admin, so the users can insert their Microsoft account to authorize the Remote Management phase.

Admin has to create a rule that assigns and auto installs Microsoft Apps from Ermetix Admin, using VPP licensing.

Note: It is very important that Microsoft Authenticator app is installed because it will manage the SSO procedures.

Example of rule that auto installs Microsoft apps

Another thing to do on the Ermetix Admin is to create a configuration profile containing the Extensible SSO payload, compatible from iOS 13 and iPadOS 13.

Additional info for this configuration are available at this link.

Extensible SSO payload set for Microsoft

User Experience

At this point, users unbox the new received device that was prepared to follow the zero-touch configuration and the enrollment with Ermetix UEM.

Follow the Setup Assistant after powering on the device, set country, language, wifi or cellular connection. After some seconds, Remote Management screen will popup. User can easily authenticate via a Microsoft account thanks to the integration between Ermetix UEM and Azure SSO.

Ermetix UEM login screen with Azure SSO on the Remote Management authentication screen

The device has been enrolled on Ermetix UEM and automatically starts to download work apps, settings and restrictions.

User could add its own Managed Apple ID using Azure federation and, one more time, the Microsoft account in one app.

In fact, after this “last” authentication, Microsoft Authenticator app will assist every access on compatible apps and sites.

SSO Microsoft demo on a newly iPadOS device enrolled

SSO Microsoft 365 with Ermetix UEM

  1. Use Apple Business Manager to configure VPP, Zero touch and Azure federation

  2. Configure Microsoft app installation on Ermetix UEM

  3. Configure SSO Azure on Ermetix UEM

  4. Configure Extensible SSO payload on Ermetix UEM

  5. Enroll the device using zero-touch and Microsoft account