Today marks a massive leap forward in enterprise Mac deployment, bridging the gap between devices and user identities. We are proud to announce support for a simplified setup of Apple’s Platform Single Sign-on (SSO) during the Automated Device Enrollment process on macOS Tahoe.
For years, Okta has led the way in bringing identity security to macOS, with Okta Device Access providing features like Desktop Password Sync and Just-in-Time (JIT) Local Account Creation, both powered by Platform SSO. Our goal has always been simple: to ensure your employees can securely access their work resources using a single, unified Okta identity, even at the device login screen. And with macOS 26 Tahoe, Apple has delivered the final piece of the puzzle – a seamless, identity-driven enrollment for device setup.
What’s new in macOS 26 Tahoe’s Platform SSO?
Prior to macOS 26, Platform SSO registration—the crucial step of linking a user's local Mac account to their Okta identity—could only happen after the initial local account was created and the Setup Assistant flow was complete. This added additional friction to the user experience and offered areas where users could overlook completing the registration process.
Now, during Automated Device Enrollment, the macOS Setup Assistant can be configured to pause and require authentication against Okta. This powerful new capability allows your organization to:
Authenticate first, provision second: The user opens their new Mac, connects to the network, and is immediately prompted to sign in to Okta. This experience is fully customizable to meet your business and security needs, including the option to enable an identity verification step or enforce additional authenticator enrollments.
Initial device account creation: Upon successful authentication with Okta, the first local macOS account is automatically created using user attributes (e.g., first name, last name, username) sourced directly from Okta.
Instant Platform SSO registration: The new local account is simultaneously linked and registered with the Platform SSO framework for password synchronization with Okta.
This means the user's Okta identity is the genesis of their macOS account, completely bypassing the need for temporary local admin credentials or manual post-enrollment steps.
Watch this demo video to see this streamlined device enrollment process in action.
A true Zero Touch experience, powered by Okta Device Access
This deep integration brings unparalleled security and operational efficiency to your IT and security teams by supporting:
- Secure and simplified onboarding: Admins can now ship a macOS device directly to an end user to enroll via macOS Automated Device Enrollment. This process will automatically create a local macOS account that’s enrolled in Desktop Password Sync, leveraging admin-defined user attributes from Universal Directory and the Platform SSO application integration settings in the Okta Admin Console.
- Auto-enrollment of phishing-resistant authentication: Since the user's identity is established during the Automated Device Enrollment process, Okta FastPass, our phishing-resistant, passwordless authenticator, is enabled and ready for immediate use for application access.
By leveraging Automated Device Enrollment and Okta Device Access capabilities through Platform SSO, you can better ensure that every macOS device is not only managed but also truly identity-aware and secure from the very first boot.
How to get started
Okta is committed to providing the best identity security and user experience across the entire Apple ecosystem. Support for macOS 26 Tahoe’s Setup Assistant integration is available today with version 9.52 or higher of Okta Verify for macOS, which can be downloaded from your Okta Admin Console under Settings > Downloads > Okta Verify for macOS.
Ready to see how to enable a true zero-touch Mac deployment for your organization? Learn more by reviewing the product documentation.
