Enrolment Single Sign-on for iPhone, iPad and Apple Vision Pro

Enrolment Single Sign-on (Enrolment SSO) is designed to make the account-driven enrolment flows faster and easier by reducing the number of sign-ins required during enrolment into a mobile device management (MDM) solution. You do this for your organisation by installing an identity app, and then using it to handle repeated authentication during — and after — the enrolment process.

Enrolment SSO works with all SSO technologies, including OAuth 2.0. To use Enrolment SSO, an identity provider (IdP) creates an app with an Extensible SSO extension and obtains the relevant entitlement, then publishes the app in the App Store as either a public app or an unlisted one. During the enrolment flow in Settings, the user can then download and use this app to sign in. After a user signs in and is enrolled in MDM, the app remains installed as a managed app to facilitate additional authentications. Your MDM solution must support:

• Service discovery for Enrolment SSO, which tells the device which app to download during the enrolment process

• Enrolment SSO on the sign-in page

• Authentication and federation with an IdP

• Managed Apple Account authentication

  IdPs must support Managed Apple Account federation with Apple School Manager or Apple Business Manager and provide an app with SSO support that can be deployed using an MDM solution.

Apple supports two authentication methods, one with Managed Apple Accounts and the other with MDM. Both can be used by users.

When the administrator’s IdP or MDM solutions support this feature, the administrator can provision Managed Apple Accounts through Apple School Manager or Apple Business Manager and configure the feature within their third-party MDM solution. Then, when a user enters their email address in Settings, they’re prompted to download the preferred identity app, which can then handle the sign-in to enroll into MDM.