Sync local macOS password with IdP

[dherder]

Problem

Today we integrate with IdPs via the macOS setup assistant and can use the IdP nameID to populate the user shortname when creating the first end user (local) account. We need to be able to constantly sync the password between the IdP and local user account to account for password resets within the IdP.

The pain right now is that end user passwords become out of sync with the IdP (where the user maintains their password) and the local macOS account.

[noahtalerman]

Contributes to Jamf parity.

[dherder]

@noahtalerman lets chat about this at feature fest WRT usage of platform SSO, or do something different.

[noahtalerman]

lets chat about this at feature fest WRT usage of platform SSO, or do something different.

Hey @dherder can you please add this to the product office hours agenda? We don't usually have time during feature fest to dive into longer discussion.

[noahtalerman]

Platform SSO deep-dive: https://twocanoes.com/psso-technical-deep-dive/

New for PSSO in macOS Sequoia: https://twocanoes.com/new-for-psso-in-macos-sequoia/

Apple docs: https://developer.apple.com/documentation/authenticationservices/platform-single-sign-on-sso

Should we start a research ticket for Platform SSO? Thanks. @lukeheath @noahtalerman

[nonpunctual]

PSSO requires an authentication provider extension (typically called a Single Sign-On Extension, or SSOE) inside a container app installed on the Mac system. A configuration profile must also be installed to the Mac system from a Mobile Device Management (MDM) service to configure PSSO. Once both of these components are installed on the Mac system, any logged in user will be prompted for device registration, then user registration. Any existing local users who have not registered will be requested to register on the next login.

[nonpunctual]

https://twocanoes.com/products/mac/xcreds/

[nonpunctual]

https://jumpcloud.com/support/google-workspace-integration-overview