The login screen, also known as the login window, is the start of every user’s Mac experience. But the average user doesn't give it much thought - they just enter a password and move on. Yet behind that moment is a critical security checkpoint and a key part of the user experience.
The login experience shapes how secure, seamless, and supportable your device access is. And a poor login workflow can create unnecessary friction and confuse users. The right approach should strike a balance between user experience and security requirements.
In this article we compare three common options for managing the macOS login experience:
- Kerberos Single Sign-on (SSO) Extension
- Platform SSO
- Kandji Passport (OIDC/ROPG)
User experience, setup complexity, and security were our primary criteria when assessing each option. At the close, we stack up the features and requirements of each option in an easily digestible table.
Our goal is to help you make a better-informed decision, whether you’re researching identity provider (IdP) integrations, improving onboarding, bolstering password hygiene, or simplifying login workflows.
Kerberos SSO Extension
Built for On-Premises Active Directory Environments
The Kerberos SSO Extension is designed for organizations that use an on-premises Active Directory (AD) setup. It gives users a secure way to authenticate to internal resources (e.g., file servers or web apps) using their AD credentials. The extension is delivered via a device management solution that uses the Mobile Device Management (MDM) framework. The extension allows the Mac to sync a local Mac account password with the user's AD account password and automatically acquire a Kerberos ticket for access to on-premises resources.
Setup and Configuration
To use the Kerberos SSO Extension, you’ll need:
- An on-premises AD domain (Windows Server 2008 or later)
- Mac devices running macOS 10.15 or later
- An MDM solution capable of deploying Extensible SSO configuration profiles
- Network access to the on-premises AD via Wi-Fi, Ethernet, or VPN
Configuration is fairly straightforward. Admins can use profiles to sync local account passwords with user’s AD accounts.
User Experience
Once the extension is installed and the device is on the AD-connected network, users are prompted to authenticate. Users will see a key icon in their menu bar that indicates the Kerberos ticket status, and they’ll receive another sign-in prompt when the ticket expires (typically after 10 hours).
If a user changes their password outside of a Mac (for example, from a Windows PC), the extension detects the mismatch and prompts them to update their local password. However, syncing isn’t always automatic in those cases.
Limitations
- On-premises only; other integrations or tools for cloud resources may be needed.
- Sessions can outlast the ticket lifetime, causing the user to be prompted to reauthenticate, possibly disrupting long-running workflows or applications.
- May involve more complex integrations based on the number of users, whether it’s a mixed environment (i.e. Mac computers and Windows), etc.
Is Kerberos SSO Right for You?
The Kerberos SSO extension can make sense if:
- Your org is deeply tied to on-premises AD
- You need access to internal, centralized, Kerberos-protected services
- You're not ready to shift to an IdP-first model
Platform SSO
A Modern, Integrated Framework From Apple
Platform Single Sign-On (Platform SSO) is Apple’s authentication framework for Mac. It’s designed to align with cloud-first identity strategies by integrating directly with IdPs like Okta and Microsoft Entra ID (formerly Azure AD). With Platform SSO, after users log in to their Mac, they are seamlessly authenticated to access organizational resources that leverage SSO, such as web apps and native apps, with no additional sign-ins required.
In addition to facilitating single sign on, Platform SSO offers two different ways of handling authentication. Platform SSO can either sync the user’s passwords, or provide a passwordless experience, but not both. The password sync method is designed to keep the Mac account password the same as the IdP account password. Again, both methods facilitate using SSO-enabled apps and web apps.
The second set of methods supports authentication via cryptographic keys securely stored in a hardware-based feature like the Secure Enclave built into all modern Mac computers, or a smart card like a YubiKey. This second set of methods is often referred to as passwordless, because the user doesn’t provide their Mac password to access network resources. So Platform SSO can provide passwordless using either the Secure Enclave method, or smart cards, but not both simultaneously.
Supporting smart cards is no small undertaking, so if you aren’t in a highly-regulated industry that requires you to use smart cards, and you don’t already have the infrastructure in place to support smart cards, we recommend that you use the Secure Enclave method instead of adopting smart cards.
With the Secure Enclave method or smart cards, accessing resources is referred to as “passwordless,” because PlatformSSO will use the cryptographic key instead of a user password to authenticate users for SSO-enabled apps and web apps. The user will never see a password dialog in order to authenticate for SSO-enabled apps and web apps; in fact, users should be trained to recognize that if they see a website offer a username and password field, it’s probably a malicious site.
With the “passwordless” methods, users will still have–and need to use–a local account password, which is required to approve certain updates. There is currently no way to use a Mac and never type in a password.
One quick note about specific terms: “log in” refers to logging in to your Mac. And “sign in” refers to signing in to something like a cloud service. Keep these in mind as you think about logging in to a Mac and gaining access to services without having to sign in.
Setup and Configuration
To use Platform SSO, your environment needs:
- macOS 13 or later (macOS 15 for full FileVault and lock screen integration)
- An MDM solution that supports the Extensible SSO payload (e.g., Kandji, Microsoft Intune)
- An IdP that supports Platform SSO (e.g., Microsoft Entra ID, Okta)
- To support the Secure Enclave feature, either a Mac with Apple silicon or an Intel-based Mac with Touch Bar and Touch ID
Admins configure Platform SSO via their MDM through a built-in integration or, if that’s not available, by constructing and then uploading a custom profile. Once the device is registered with the IdP via a hardware-backed certificate (for Secure Enclave or smart card scenarios) or password synchronization (for traditional password-based authentication), the user experience varies based on the chosen method.
User Experience
Platform SSO offers multiple supported authentication methods, including:
- Password and encrypted password: Syncs the user’s local Mac password with their IdP credentials
- Password with WS-Trust: Offers compatibility with IdPs requiring the WS-Trust protocol for password-based authentication
- Secure Enclave–backed key: Enables passwordless login via cryptographic key that protects against using stolen credentials
- SmartCard: Supports hardware-based secure login, often required in highly-regulated environments
Password Sync
Once the device is registered, users can log in with their IdP credentials. The local Mac password is synchronized with the user’s IdP password, so both are kept in sync. Once logged in, users benefit from SSO across supported native apps and web services, reducing repeated authentication prompts and password fatigue.
Secure Enclave or SmartCard
After device registration, users can log in using a Secure Enclave–backed key or a SmartCard. Both options enable secure, passwordless authentication. When using Secure Enclave or SmartCard authentication, the local Mac password is not synced to the IdP password, and authentication relies on the hardware-backed certificate or SmartCard. This can cause confusion for users because, although logins are passwordless, macOS sometimes still prompts for local account passwords, especially during password changes or software updates. This mismatch can cause an uptick in help desk tickets as users are likely to forget a password they seldom use. However, identity providers supporting Platform SSO encourage the use of Secure Enclave-backed keys as they are the most secure and offer the strongest protection against phishing attempts.
Limitations
In either scenario above, Platform SSO requires that users first log in to the device with a local account before registering with their IdP. Only after this initial setup can additional local accounts be created directly from the login window using IdP credentials. In contrast, Kandji Passport lets users create a local account immediately during device enrollment by logging in with their IdP credentials. This streamlines the onboarding process and eliminates the need for initial local account creation.
Other limitations of Platform SSO include:
- Not compatible with legacy Mac computers, requires a newer/updated and standardized fleet
- Multi-user capabilities need further configuration and customization, and may restrict authentication methods
- Works with a limited number of IdPs
Is Platform SSO a Good Fit?
Platform SSO can work well for an organization if:
- You want specific MFA security features
- You want an MDM-neutral solution
- You prefer an Apple framework with a native experience and support for macOS (and limit your use of third-party integrations)
- Your IdP distributes an app that supports PlatformSSO
- Your IdP supports your desired authentication method for PlatformSSO
- You’ve developed or use apps that support SSO
- Your organization uses web apps that support SSO
What about PlatformSSO for macOS 26 Tahoe?
In June 2025, as part of its Worldwide Developer Conference (WWDC), Apple announced some major changes coming for macOS 26.
For a new out-of-the-box setup experience for Mac, a user will be able to enter their IdP credentials one time to accomplish the following:
- Enroll the Mac into the device solution assigned in Apple Business Manager
- Create the first Mac local account
- Register with the IdP
PlatformSSO for macOS 26 will also support a feature called Authenticated Guest Access, which is great for shared-use Mac computers. For shared-use Mac computers, some organizations still use a legacy method known as binding to AD, in order to allow anyone to sign in to a shared Mac using their AD credentials. PlatformSSO for macOS 26 might mean the end of the last reason for binding a Mac to AD.
macOS 26 will be available this fall.
Kandji Passport
Custom, Unified Login Experience With IdP Credentials
OpenID Connect (OIDC) and Resource Owner Password Grant (ROPG) tools like Kandji Passport turn the Mac login window into a highly customizable, unified, and branded experience across the fleet. It’s designed for organizations that want an SSO solution included with their MDM capabilities, aligning policies and simplifying administration while offering greater control. Examples of additional controls include built-in user provisioning and policy enforcement (through MDM) to enforce security practices.
Users sign in once with their IdP credentials, and the app ensures their local Mac password stays in sync. If there’s ever a mismatch, users are prompted to update their local password.
Setup and Configuration
To use Kandji Passport, you’ll need:
- A Mac running an OS version supported by Kandji
- An IdP that supports OIDC/ROPG (such as Entra ID, Okta, or OneLogin)
- Kandji MDM for deployment and management
For Kandji users, deployment is straightforward through the cloud portal, and admins can easily configure branding, account type assignment, and onboarding workflows. Passport works across a variety of IdPs, making it a flexible choice for organizations with diverse identity needs. Although Passport enables offline login by syncing credentials locally, initial setup requires network connectivity.
Note that setup can vary depending on your IdP. It’s important to test compatibility with your tools and specific IdP.
User Experience
Logging in with Kandji Passport feels familiar for Mac users, who enter their IdP credentials at a login window that reflects your organization’s look and feel. If a Mac account doesn’t already exist, Passport creates one, instantly removing onboarding friction.
Passport keeps local Mac passwords in sync with IdP credentials, and if there’s ever a mismatch, users are prompted to update their password. This can significantly help minimize confusion and reduce help desk tickets.
Admins can further tailor the experience by displaying custom lock messages or compliance banners, adding password reset links at the login screen, and enforcing advanced security policies on a granular, per-user or per-group basis (e.g., device trust, conditional access, or MFA integrations). This level of customization and control means the login process stays secure, consistent, and polished.
Limitations
- Requires an IdP that supports OIDC/ROPG
- Unlike PSSO, Kandji Passport does not grant SSO after authentication. Users may need to authenticate separately when accessing applications. Kandji Passport can be used alongside Apple’s Extensible SSO (ESSO) extension to enable broader SSO coverage after initial app login, but it does not eliminate the first prompt.
Is Kandji Passport the Best Choice for You?
An OIDC/ROPG option like Kandji Passport is great choice over Platform SSO if:
- You want a solution that has a history of successful deployment
- You want simple SSO login management integrated with your MDM solution, which unifies deployment and administration
- You prefer more granular controls, compliance enforcement, and support for mixed authentication sources
- Your IdP does not support Platform SSO, or support it for your desired authentication method
- You value deeper customization of the login experience such as branding (beyond Platform SSO capabilities)
.jpg?width=744&height=558&name=_%20Comparison%20Table%20Chart%20Graph%20(1).jpg)