Enhanced Security: Require Biometrics for macOS PSSO registration
MacOS Platform Single Sign On with Secure Enclave is great, but how can we provide an extra layer of protection by ensuring that the user will confirm their identity with TouchID. With these requirement upon registration the user physical presence is needed, it can reduce the risk of unauthorized enrollments and helps keeping account access aligned with your organization's security standards. In this post I will describe the requirements, how we can add the settings and the user experience.
Requirements Use Secure Enclave Key Biometrics
With the option to require a biometric authentication we enhance the security for our device. A password to enable the registration won't full-fill, the user will need to authenticate with a Touch ID Biometric. The biometric is also required every time when the Secure Enclave key needs to be accessed.
To enable this setting for Biometric with Secure Enclave, we need to have the following requirements.
- Touch ID biometrics
- macOS 14.6 and later
- Company Portal version 2504 and later
- Platform Single Sign On with Secure Enclave.
Create a Intune Configuration Profile
In the requirements we see that PSSO with Secure Enclave needs to be enabled. We can't create a single profile with only the requirement for biometrics, because more settings need to be configured when added the setting. This can result in duplicates or configuration mismatches. To required biometrics for macOS Platform Single Sign On registration we need to create a policy for PSSO with secure enclave or adjust an existing macOS PSSO configuration profile.
In this example we already have a macOS PSSO configuration profile, we will adjust this one.
From the Intune portal head over to:
Devices > macOS > Configuration
Select your PSSO configuration profile, our create on (read the documentation below for blog article to create a PSSO profile)
Choose for:
- Add settings
- Search for Authentication
- Extensible Single Sign On (SSO)
Select Extension Data
Use the following values for the Extension Data
- Key: enable_se_key_biometric_policy
- Type: Boolean
- Value: True
Re-registration proces
When a configuration profile for PSSO already is in place the users will need to undergo a new registration proces, this proces needs to be admin driven because the user won't see a re-registration proces.
We can trigger a re-registration from the device. In this example there already was an PSSO configuration. From the macbook head over to:
System Settings > Users & Groups >
Select the information icon listed next to the local user.
Choose for Repair in the Registration section
User Experience
When the registration proces takes place, the user needs to provide a password or biometrics. The change is visible when the registration is made, the user will get two additional prompts to provide Biometrics through the Touch ID.
After the first SSO prompt for the continu process we need to full-fill another Biometrics SSO prompt to make a setting.
The requirement is full-filled after these prompts. As we can see in the images we only can use a biometric and not a password to make to PSSO with Secure Enclave.
Recap
Adding a biometric requirement for using PSSO with the Secure Enclave can significantly enhance device security. A password alone is not sufficient. It is important to be aware of the Touch ID requirements for macOS devices, and when a policy is already in place, PSSO must be re-registered. We also can not add a configuration profile only with the Extension Data, we need to adjust a existing PSSO profile or create one with this requirement as part of the configuration.