Enrollment Single Sign-on for iPhone, iPad, and Apple Vision Pro

Enrollment Single Sign-on (Enrollment SSO) is designed to make the account-driven enrollment flows faster and easier by reducing the number of sign-ins required during enrollment into a mobile device management (MDM) solution. You do this for your organization by installing an identity app, and then using it to handle repeated authentication during—and after—the enrollment process.

Enrollment SSO works with all SSO technologies, including OAuth 2.0. To use Enrollment SSO, an identity provider (IdP) creates an app with an Extensible SSO extension and obtains the relevant entitlement, then publishes the app in the App Store as either a public app or an unlisted one. During the enrollment flow in Settings, the user can then download and use this app to sign in. After a user signs in and is enrolled in MDM, the app remains installed as a managed app to facilitate additional authentications. Your MDM solution must support:

• Service discovery for Enrollment SSO, which tells the device which app to download during the enrollment process

• Enrollment SSO on the sign-in page

• Authentication and federation with an IdP

• Managed Apple Account authentication

  IdPs must support Managed Apple Account federation with Apple School Manager or Apple Business Manager and provide an app with SSO support that can be deployed using an MDM solution.

Apple supports two authentication methods, one with Managed Apple Accounts and the other with MDM. Both can be used by users.

When the administrator’s IdP or MDM solutions support this feature, the administrator can provision Managed Apple Accounts through Apple School Manager or Apple Business Manager and configure the feature within their third-party MDM solution. Then, when a user enters their email address in Settings, they’re prompted to download the preferred identity app, which can then handle the sign-in to enroll into MDM.