Configuring Kerberos as an App Extension SSO

The App Extension Single Sign-on (SSO) payload allows you to use Kerberos-based Single Sign-on (SSO) with your school’s Apple devices. The Kerberos SSO extension simplifies the process of acquiring a Kerberos ticket-granting ticket (TGT) from your organization’s Active Directory domain, allowing users to seamlessly authenticate to resources like websites, apps, and file servers. The Kerberos SSO extension also helps your users manage their Active Directory accounts. On macOS, it allows users to change their Active Directory passwords and notifies them when a password is about to expire. Users can also change their local account passwords to match their Active Directory passwords.

General Requirements

To use Kerberos for SSO, you need:

  • Computers with macOS 10.15 or later and User Approved MDM

  • Mobile devices with iOS 13 or later or iPadOS 13 or later

  • An Active Directory domain running Windows Server 2008 or later (For more information on how to bind computers to an Active Directory domain, see Binding Computers to Active Directory or Open Directory.)

    Note: The Kerberos SSO extension is not intended for use with Azure Active Directory. It requires a traditional, on-premise Active Directory domain.

  • Access to the network where the Active Directory domain is hosted. This network access can be through Wi-Fi, Ethernet, or VPN.

Configuring Kerberos Single Sign-on

  1. In Jamf School, navigate to Profiles in the sidebar.

  2. Click +Create Profile.

  3. Select the operating system you want to make the profile for or select Upload Custom Profile.

  4. Select the type of enrollment you want to make the profile for.

  5. Enter a name in the Profile name field and configure any additional settings.

  6. Click Finish.

  7. Click the profile you want to configure.

  8. Use the Scope payload to configure the scope of the profile by clicking the + icon and adding device groups to the profile scope.
    For more information, see Device Groups.

  9. Click the Settings images/ icon, and do one of the following:

    • To install the profile on devices automatically, choose Change to automatic installation for all groups.

    • To allow users to install the profile themselves in the Jamf Teacher or Jamf School Student apps, choose Change to on-demand installation for all groups.

  10. Use the App Extension SSO payload to configure the following settings:

    1. Choose "Kerberos (Credential)" from the Sign-in type pop-up menu.

    2. In the Realm field, enter the name of your Active Directory domain in uppercase.

      Note: Do not use the name of your Active Directory forest, unless your user accounts reside at the forest level.

    3. In Domains, click + and add domains for any resources that use Kerberos. For example, if you use Kerberos authentication with resources in, add “”

      Note: Ensure that you include the leading period.

    4. To store the user password in their keychain, select the Allow Automatic Login checkbox.

    5. To open a password change website in the default browser when the user selects “Change password” or acknowledges a password expiration notice, select the Allow Password Change checkbox.

    6. To require users to use Face ID, Touch ID, or passcode, select the Require user presence checkbox.

    7. To allow the extension to automatically determine your Active Directory site, select the Use Site Auto Discovery checkbox.

    8. To allow the extension to use a specific Generic Security Service Application Program Interface (GSS API) cache, enter the GSS name of the Kerberos cache in the Cache Name field.

    9. In Credential Bundle ID, click + and add a list of bundle IDs allowed to access the TGT.

    10. Click + Add a domain realm mapping to add a custom domain-realm mapping for Kerberos. This is used when the Domain Name System (DNS) name of hosts do not match the realm name.

    11. Enter the principal name in the Principle Name field.

    12. (macOS only) To specify the number of days that passwords can be used on this domain before they expire, select the Override Default Password Expiration checkbox.

    13. (iOS only) To allow only managed applications to access and use the credential bundle ID, select the Managed apps in bundle checkbox.

    14. Enter name of the Active Directory site the Kerberos extension should use in the Site Code field.

  11. Click Save.

After the App Extension SSO profile installs on mobile devices in the scope and the user connects their device to a network where your organization’s Active Directory domain is available, users can authenticate using their Kerberos or Active Directory credentials. After Mac computers in the scope are connected to the network where your Active Directory domain is available, users are prompted to authenticate immediately after the App Extension SSO profile is installed.

Related Information

For related information, see the following from Apple's Deployment Reference for Mac:

For related information, see Apple's Kerberos Single Sign-on Extension User Guide.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.