Workspace ONE supports Platform SSO with Entra ID via Secure Enclave

Workspace ONE Intelligent Hub is expanding its Apple platform capabilities with support for Platform Single Sign-On (PSSO) on macOS, integrated with Microsoft Entra ID and secured by Apple's Secure Enclave.  This integration marks a major step forward in enabling modern authentication workflow on macOS for organizations leveraging Microsoft 365, Conditional Access, and device compliance policies via Entra ID. 

What Is Secure Enclave-based device identity? 

Secure Enclave is Apple’s hardware-based security coprocessor that stores cryptographic keys in an isolated environment. By leveraging Secure Enclave, Workspace ONE Intelligent Hub ensures tamper-resistant credential storage and alignment with Apple’s latest security standards. 

Why leverage Secure Enclave? 

To support PSSO with Microsoft Entra ID 

Apple introduced PSSO   framework to enables users to sign in once at the macOS login screen and automatically gain access to Entra ID–protected apps and services.  Secure Enclave securely stores the macOS device identity, allowing Microsoft’s Enterprise SSO plug-in to seamlessly single sign-on into Microsoft 365 and custom MSAL-based apps and silently authenticate with device trust included. 

Full Conditional Access enforcement 

While Workspace ONE has long participated in Microsoft's Partner Compliance Program to support Conditional Access for macOS, the existing Keychain-based integration has limitations, especially in device identity and compliance scenarios. This is primarily because Microsoft Conditional Access evaluates device trust using the Microsoft identity platform, not the underlying Apple Keychain - a secure local storage for credentials, that Apple devices traditionally used to store device identity keys for Entra AD.  

In 2025, Microsoft began transitioning away from storing device credentials in the macOS Keychain.  New device registrations will require Secure Enclave–based identity keys, slowly phasing out the Keychain approach. This transition provides stronger, hardware-backed security and aligns with the latest Entra ID architecture. 

Refer Microsoft Enterprise SSO plug-in for Apple devices  for more details. 

Why are we updating Intelligent Hub for macOS? 

For Workspace ONE to maintain full compatibility with Microsoft Conditional Access, ensure seamless policy enforcement like device compliance and app-based restrictions, and future-proof its compliance posture, it is critical to adopt Secure Enclave–based device identity.  To do this we have updated Intelligent Hub for macOS 25.11 version to support Secure Enclave-based identity keys. To support this capability, Microsoft requires the Microsoft Enterprise SSO Plug-in application (Company Portal App) to be installed on the device – as this is used to register devices with Entra ID and store the identity in the Secure Enclave. 

 How does this impact you? 

• Stronger security posture - Secure Enclave isolates credentials in hardware, reducing risk of tampering or extraction.
• Conditional Access compliance - Ensures consistent policy enforcement using both user and device identity — enabling full support for Conditional Access scenarios.
• Seamless user experience - Users sign in once at login and gain SSO across all Microsoft-authenticated apps and browsers. 

Summary 

Workspace ONE’s support for Secure Enclave–based Platform SSO with Microsoft Entra ID ensures secure, seamless access to enterprise apps — while meeting Microsoft’s latest identity standards and Conditional Access requirements. This essential update empowers macOS environments using Microsoft 365 and Entra ID to transition from Keychain-based identity to a modern, hardware-backed authentication model.