Apple's single sign-on (SSO) extension for macOS provides two main benefits for end users:

1. It keeps Mac login passwords synced with UW NetID (Active Directory) account passwords, meaning fewer passwords to remember and helping to reduce login keychain problems.
2. With SSO active, accessing WCER network shares is simplified as it does not require re-entering your account credentials, hence the name "single sign-on".

In order to be configured, the SSO Extension requires the Mac to either be on a wired connection in a School of Education space, such as the Education Sciences building or to be connected to the GlobalProtect VPN if connecting via WiFi from any location on campus or off campus.

The first time you log in to the Mac after the SSO extension is configured to use Campus Active Directory, you should be prompted to sign into AD.WISC.EDU.


You may also click on the key-shaped SSO icon in the top menu bar and Sign In if it does not.
NOTE: If you do not see the key-shaped SSO icon in your Mac's menu bar, email support, and we will get your Mac ready.


Enter your NetID username and password, and click the Sign in button.

A new window will prompt you for your Active Directory and Mac passwords, to verify that they match. NOTE: Your NetID password is your Active Directory password.
Once entered, click on the Sync Password button.

If the passwords don't match, the extension will sync them by changing your Mac password to match your NetID password.
Once completed, you will see the window shown below:

If you click on the SSO Extension in the menu bar, you will now see that you are signed in as [yourNetID]@ad.wisc.edu

When you return from an offline or off-campus state (for example, the VPN was disconnected, or the Ethernet cable was unplugged) to an on-campus state, the SSO extension should automatically reconnect, but if it does not, click on the key-shaped SSO icon in the top menu bar and select Reconnect.

Although the Change Password... option is visible under the SSO Extension menu bar icon, if you attempt to change it, you will be notified that password changes are disabled. This is because there is an established procedure in place that you must go through to change a NetID password.

The link below will take you to Identity and Access Management's instructions for changing a NetID password.

NetID - Changing a Password

NOTE: If you ever change your NetID password, the next time your Mac is connected to the domain, such as a GlobalProtect connection, you will be prompted to synchronize your NetID password with your Mac's login password.

Apple's Kerberos single sign-on (SSO) extension for macOS allows users to seamlessly connect and authenticate to the WCER/SoE Active Directory, without the need for binding to the domain. Devices must be managed with an MDM solution in order to install the SSO extension configuration. UW-Madison has chosen Workspace ONE as its MDM solution and all Macs purchased or re-issued by WCER starting in late 2021 have Workspace ONE installed by default.

The SSO extension requires macOS 10.15 (Catalina) or higher. It replaces Apple Enterprise Connect which is not supported beyond macOS 11 (Big Sur).

For questions about the SSO Extension or assistance, please contact WCER Research IT.

Email Research IT: Replacing Enterprise Connect with macOS SSO Extension