Workspace ONE - Guide to Implementing NetID Authentication on macOS

This document provides a comprehensive guide on how to implement NetID authentication on MacOS devices using Workspace ONE (WS1) and the Kerberos SSO extension. It specifically caters to administrators who are looking to streamline user access without the repetitive process of Imaging and testing WS1 profiles. **Note that while the Kerberos SSO extension facilitates authentication within applications, it does not support login window integration. For that purpose, local accounts or Active Directory (AD) binding would still be required.

Prerequisites

Before beginning the setup process, ensure that you are logged into the correct Organization Group (OG) within Workspace ONE.

Step-by-Step Configuration

1. Navigate to Profiles

  • Go to the WS1 dashboard.
  • Navigate to Resources > Profiles & Baselines > Profiles.

2. Create a New Profile

  • Click on Add and then select Add Profile.
  • Choose Apple macOS followed by Device Profile.

3. Configure the Profile

Here you will define the settings specific to the SSO functionality on MacOS:

  • Name the Profile: Assign a descriptive name to the profile that easily identifies its purpose and scope.

4. Add SSO Extension

Under the profile settings, add an SSO extension to handle authentication requests:

  • Extension Type: Select Kerberos from the available options.
  • Active Directory Realm: Enter AD.WISC.EDU as the realm to align with your Active Directory services.
  • Domains: Specify AD.WISC.EDU to define the domain within which authentication requests are validated.

** As of 6/26/25, a bug may cause the NEXT button to not be clickable. The workaround is to change Extension Type to Generic & then fill in the 3 required fields with any data. The NEXT button should turn blue. Switch back to Kerberos & fill in the above information again if necessary. See Workspace ONE - Known Issues for more information. **

5. Specify Allowed Bundle IDs

  • Allowed Bundle IDs: Enter com.apple.AppSSOKerberos.KerberosExtension. This identifies the specific app bundle allowed to request Kerberos tickets.

6. Disable Password Changes

  • Ensure the Allow Password Change option is turned off to prevent users from changing their passwords through this SSO profile.

Finalizing and Deploying the Profile

Once all settings are correctly configured:

  • Review the profile settings to ensure everything is correctly entered and reflects the intended configuration.
  • Click Save to apply the configurations and deploy the profile to the targeted MacOS devices within the specified OG.

Keywords:
MacOS, Authentication 
Doc ID:
137692
Owned by:
Nisitha D. in Endpoint Management
Created:
2024-06-03
Updated:
2026-04-01
Sites:
DoIT Help Desk, Endpoint Management