Extensible Single Sign-On

The bundle identifier of the app extension that performs SSO for the specified URLs.

The type of SSO.

The team identifier of the app extension. This key is required on macOS and ignored elsewhere.

Depends on: ExtensionIdentifier ∈ [com.apple.AppSSOKerberos.KerberosExtension];

An array of host or domain names that apps can authenticate through the app extension. Required for 'Credential' payloads. Ignored for 'Redirect' payloads. The system: - Matches host or domain names case-insensitively - Requires that all the host and domain names of all installed Extensible SSO payloads are unique Note: Host names that begin with a "." are wildcard suffixes that match all subdomains; otherwise the host name needs be an exact match.

Depends on: Type ∈ [Credential]

A host or domain name, with or without a leading dot.

The realm name for 'Credential' payloads. Use proper capitalization for this value. Ignored for 'Redirect' payloads.

Depends on: ExtensionIdentifier ∈ [com.apple.AppSSOKerberos.KerberosExtension]

An array of URL prefixes of identity providers where the app extension performs SSO. Required for 'Redirect' payloads. Ignored for 'Credential' payloads. The URLs need to begin with 'http://' or 'https://'. The system: - Matches scheme and host name case-insensitively - Doesn't allow query parameters and URL fragments - Requires that the URLs of all installed Extensible SSO payloads are unique

Depends on: Type ∈ [Redirect]

An http or https URL prefix.

An array of bundle identifiers of apps that don't use SSO provided by this extension. Available in iOS 15 and later, and macOS 12 and later.

The bundle identifier of the app.

If set to 'Cancel', the system cancels authentication requests when the screen is locked. If set to 'DoNotHandle', the request continues without SSO instead. This doesn't apply to requests where 'userInterfaceEnabled' is 'false', or for background 'URLSession' requests. Available in iOS 15 and later, and macOS 12 and later.

A dictionary of arbitrary data passed through to the app extension.

Depends on: ExtensionIdentifier ∈ [com.apple.AppSSOKerberos.KerberosExtension]

If 'false', the system doesn't allow saving passwords in the keychain.

If 'false', the system disables password changes. Available in macOS 10.15 and later.

If 'true', the system requires this configuration uses a TGT from Platform SSO instead of requesting a new one. Available in macOS 13 and later.

If 'true' and 'usePlatformSSOTGT' is 'true', the system allows the user to manually sign in. Available in macOS 13 and later.

If 'true', the Kerberos Extension handles Kerberos requests only. It doesn't check for password expiration, show the password expiration in the menu, check for external password changes, perform password sync, or retrieve the home directory. Available in macOS 13 and later.

The GSS name of the Kerberos cache to use. Rarely set by an administrator.

The PayloadUUID of a PKINIT certificate.

A list of bundle IDs allowed to access the ticket-granting ticket (TGT).

Bundle IDs allowed to access the TGT. These values are case sensitive.

This setting affects how other processes use the Kerberos Extension credential. Allowed values: - 'always': The system always uses the credential if the SPN matches the Kerberos Extension 'Hosts' array and the caller hasn't specified another credential. However, the system won't use the credential if the calling app isn't in the 'credentialBundleIDACL'. - 'whenNotSpecified': The system only uses the extension credential if the SPN matches the Kerberos Extension 'Hosts' array. However, the system won't use the credential if the calling app isn't in the 'credentialBundleIDACL'. - 'kerberosDefault': The system uses the default Kerberos processes to select credentials, and normally uses the default Kerberos credential. This is the same as turning off this capability. Available in macOS 11 and later.

The custom user name label used in the Kerberos extension instead of "Username," such as "Company ID". Available in macOS 11 and later.

If 'true', the system doesn't prompt the user to setup the Kerberos extension until either the administrator enables it with the 'app-sso' tool or the system receives a Kerberos challenge. Available in macOS 11 and later.

The text to display to the user at the bottom of the Kerberos Login Window. You can also use this to display help information or disclaimer text. Available in iOS 14 and later, and macOS 11 and later.

Specifies whether this is the default realm if there's more than one Kerberos extension configuration.

If 'true', the Kerberos extension allows only managed apps to access and use the credential. This is in addition to the 'credentialBundleIDACL', if you specify that value. Available in iOS 14 and later, and macOS 12 and later.

If 'true', the Kerberos extension allows the standard Kerberos utilities including 'TicketViewer' and 'klist' to access and use the credential. This is in addition to 'includeManagedAppsInBundleIdACL' or the 'credentialBundleIdACL', if you specify those values. Available in macOS 12 and later.

If 'false', the system requests the credential on the next matching Kerberos challenge or network state change. If the credential is expired or missing, the system creates a new one. Available in macOS 11 and later.

The principal (username) to use. You don't need to include the realm.

The ordered list of preferred Key Distribution Centers (KDCs) to use for Kerberos traffic. Use this if the servers aren't discoverable through DNS. If the servers are specified, then the system uses them for both connectivity checks and attempts to use them first for Kerberos traffic. If the servers don't respond, the device falls back to DNS discovery. Format each entry the same as it would be in a 'krb5.conf' file, for example: - 'adserver1.example.com' - 'tcp/adserver1.example.com:88' - 'kkdcp://kerberosproxy.example.com:443/kkdcp'

A host or domain name in the format of [protocol/]hostname[:port][/path]

This URL will launch in the user's default web browser when they initiate a password change. Available in macOS 10.15 and later.

The number of days prior to password expiration when the system sends a notification of password expiration to the user. Available in macOS 10.15 and later.

The number of days that the system allows using passwords on this domain. For most domains, this calculation is automatic. Available in macOS 10.15 and later.

If 'true', the system requires passwords to meet Active Directory's definition of "complex". Available in macOS 10.15 and later.

The number of prior passwords that the system disallows reuse on this domain. Available in macOS 10.15 and later.

The minimum length of passwords on the domain.Available in macOS 10.15 and later.

The minimum age of passwords before the system allows changing them on this domain. Available in macOS 10.15 and later.

The text version of the domain's password requirements. Only for use if 'pwReqComplexity' or 'pwReqLength' aren't specified. Available in macOS 10.15 and later.

The RTF file formatted version of the domain's password requirements. Only for use if 'pwReqComplexity' or 'pwReqLength' aren't specified. Available in macOS 15 and later.

The time, in seconds, required to replicate changes in the Active Directory domain. The Kerberos extension uses this when checking password age after a change. Available in macOS 11 and later.

Require that LDAP connections use TLS. Available in macOS 11 and later.

If 'true', the system requires the user to provide Touch ID, Face ID or their passcode to access the keychain entry.

The name of the Active Directory site the Kerberos extension should use. Most administrators don't need to modify this value, as the Kerberos extension can normally find the site automatically.

If 'false', the system disables password sync. Note that this will not work if the user is logged in with a mobile account. Available in macOS 10.15 and later.

If 'false', the Kerberos extension doesn't automatically use LDAP and DNS to determine its AD site name.

A custom domain-realm mapping for Kerberos. The system uses this when the DNS name of hosts doesn't match the realm name. Most administrators don't need to customize this.

The key should be the name of the realm, and the value is an array of DNS suffixes that map to the realm.

Domains to map to the realm

Domains to map to the realm

—

Enable SSO for specific apps

Enable SSO for all apps with a specific bundle ID prefix

Disable SSO for specific apps

Enable SSO through cookies for a specific application

—

—

—

—

A string with wildcards that can use used to filter the list of available SmartCards by issuer. e.g "\*My CA2\*". If there is one remaining, it will be auto-selected. If there more than one remaining, then the list is shorter. Available in macOS 15 and later.

If 'true', allow the user to switch the user interface to SmartCard mode. Available in macOS 15 and later.

If 'true', allow the user to switch the user interface to Password mode. Available in macOS 15 and later.

If 'true', the user interface will start in SmartCard mode. Available in macOS 15 and later.

Bundle IDs allowed to access the TGT. These values are case sensitive.

A host or domain name in the format of [protocol/]hostname[:port][/path]

The key should be the name of the realm, and the value is an array of DNS suffixes that map to the realm.

Domains to map to the realm

Domains to map to the realm

The Platform SSO authentication method the extension uses. Requires that the SSO Extension also supports the method. Available in macOS 13 and later, and deprecated in macOS 14.

The dictionary to configure Platform SSO. Requires 'Type' to be set to 'Redirect'.

The Platform SSO authentication method to use with the extension. Requires that the SSO Extension also support the method.

If 'true', the system uses the same signing and encryption keys for all users. Only supported on the device channel.

The display name for the account in notifications and authentication requests.

The duration, in seconds, until the system requires a full login instead of a refresh. The default value is 64,800 (18 hours). The minimum value is 3600 (1 hour).

Enables creating users at the Login Window with an 'AuthenticationMethod' of either 'Password' or 'SmartCard'. Requires that 'UseSharedDeviceKeys' is 'true'.

Enables using identity provider accounts at authorization prompts. Requires that 'UseSharedDeviceKeys' is 'true'. The system assigns groups using 'AdministratorGroups', 'AdditionalGroups', or 'AuthorizationGroups'.

The attribute mapping to use when creating users, or for authorization.

The claim name to use for the user's account name.

The claim name to use for the user's full name.

The permission to apply to newly created accounts at login. Allowed values: - 'Standard': The account is a standard user. - 'Admin': The system adds the account to the local administrators group. - 'Groups': The system assigns groups to the account using 'AdministratorGroups', 'AdditionalGroups', or 'AuthorizationGroups'. - 'Temporary': The system uses a temporary session configuration for newly created accounts at login.

The permission to apply to an account each time the user authenticates. Allowed values: - 'Standard': The account is a standard user. - 'Admin': The system adds the account to the local administrators group. - 'Groups': The system assigns group to the account using 'AdministratorGroups', 'AdditionalGroups', or 'AuthorizationGroups'.

The list of groups to use for administrator access. The system requests membership during authentication.

The group name.

The list of created groups that don't have administrator access.

The group name.

The pairing of Authorization Rights to group names. When using this, the system updates the Authorization Right to use the group.

—

The key is an access right value, the value is the group to be associated with that access right.

The policy to apply when using Platform SSO at FileVault unlock on a Mac with Apple silicon. Applies when 'AuthenticationMethod' is 'Password'. Available in macOS 15 and later.

* AttemptAuthentication Platform SSO authentication is attempted before proceeding. If offline, unlock will continue if the local account password matches. If online and the credential is incorrect, then a successful Platform SSO authentication is required to proceed, even if taken offline. * RequireAuthentication Platform SSO authentication is required before proceeding. If the device is offline and 'AllowOfflineGracePeriod' is enabled, then the offline 'OfflineGracePeriod' is used to determine if the user can proceed or not. If online and the credential is incorrect, then a valid Platform SSO authentication is required to proceed regardless of the 'OfflineGracePeriod'. If the account is not registered for Platform SSO and 'AllowAuthenticationGracePeriod' is enabled, then the 'AuthenticationGracePeriod' is used to determine if the user can proceed or not. * AllowOfflineGracePeriod Allow the use of the 'OfflineGracePeriod' when 'RequireAuthentication' is enabled. If 'AllowOfflineGracePeriod' is not set, then offline access is denied. * AllowAuthenticationGracePeriod Allow the use of the 'AuthenticationGracePeriod' for other local accounts when 'RequireAuthentication' is enabled. The 'AuthenticationGracePeriod' starts when any of the policies have been updated. If 'AllowAuthenticationGracePeriod' is not set, then unregistered account access is denied.

The policy to apply when using Platform SSO at the Login Window. Applies when 'AuthenticationMethod' is 'Password'. Available in macOS 15 and later.

* AttemptAuthentication Platform SSO authentication is attempted before proceeding. If offline, unlock will continue if the local account password matches. If online and the credential is incorrect, then a successful Platform SSO authentication is required to proceed, even if taken offline. * RequireAuthentication Platform SSO authentication is required before proceeding. If the device is offline and 'AllowOfflineGracePeriod' is enabled, then the offline 'OfflineGracePeriod' is used to determine if the user can proceed or not. If online and the credential is incorrect, then a valid Platform SSO authentication is required to proceed regardless of the 'OfflineGracePeriod'. If the account is not registered for Platform SSO and 'AllowAuthenticationGracePeriod' is enabled, then the 'AuthenticationGracePeriod' is used to determine if the user can proceed or not. * AllowOfflineGracePeriod Allow the use of the 'OfflineGracePeriod' when 'RequireAuthentication' is enabled. If 'AllowOfflineGracePeriod' is not set, then offline access is denied. * AllowAuthenticationGracePeriod Allow the use of the 'AuthenticationGracePeriod' for other local accounts when 'RequireAuthentication' is enabled. The 'AuthenticationGracePeriod' starts when any of the policies have been updated. If 'AllowAuthenticationGracePeriod' is not set, then unregistered account access is denied.

The policy to apply when using Platform SSO at screensaver unlock. Applies when 'AuthenticationMethod' is 'Password'. Available in macOS 15 and later.

* AttemptAuthentication Platform SSO authentication is attempted before proceeding. If offline, unlock will continue if the local account password matches. If online and the credential is incorrect, then a successful Platform SSO authentication is required to proceed, even if taken offline. * RequireAuthentication Platform SSO authentication is required before proceeding. If the device is offline and 'AllowOfflineGracePeriod' is enabled, then the offline 'OfflineGracePeriod' is used to determine if the user can proceed or not. If online and the credential is incorrect, then a valid Platform SSO authentication is required to proceed regardless of the 'OfflineGracePeriod'. If the account is not registered for Platform SSO and 'AllowAuthenticationGracePeriod' is enabled, then the 'AuthenticationGracePeriod' is used to determine if the user can proceed or not. * AllowOfflineGracePeriod Allow the use of the 'OfflineGracePeriod' when 'RequireAuthentication' is enabled. If 'AllowOfflineGracePeriod' is not set, then offline access is denied. * AllowAuthenticationGracePeriod Allow the use of the 'AuthenticationGracePeriod' for other local accounts when 'RequireAuthentication' is enabled. The 'AuthenticationGracePeriod' starts when any of the policies have been updated. If 'AllowAuthenticationGracePeriod' is not set, then unregistered account access is denied. * AllowTouchIDOrWatchForUnlock Allow TouchID or Watch to unlock the screensaver instead of Platform SSO authentication when 'RequireAuthentication' is enabled.

The amount of time after the last successful Platform SSO login for using a local account password offline. Required when setting 'AllowOfflineGracePeriod'. Available in macOS 15 and later.

The amount of time after receiving or updating a 'FileVaultPolicy', 'LoginPolicy', or 'UnlockPolicy' that the system can use unregistered local accounts. Required when 'AllowAuthenticationGracePeriod' is set. Available in macOS 15 and later.

The list of local accounts that aren't subject to the 'FileVaultPolicy', 'LoginPolicy', or 'UnlockPolicy'. The accounts don't receive a prompt to register for Platform SSO. Available in macOS 15 and later.

A local account username.

If 'true', the system includes the device UDID and serial number in Platform SSO attestations.

If 'true', the device uses Platform SSO to create the first user account on the Mac during 'Setup Assistant'.

The set of authentication methods to use for newly created accounts at login or during 'Setup Assistant'. The system uses 'Password' and 'SmartCard' if this key isn't present.

An authentication method to use for newly created accounts at login or during 'Setup Assistant'. Allowed values: - 'Password': The account uses a password for authentication. - 'SmartCard': The account uses a smart card for authentication. - 'AccessKey': The account uses an access key for authentication.

The reader group identifier for use with the 'AccessKey'. The value needs to match the configured access key. Required if 'NewUserAuthenticationMethods' contains 'AccessKey'.

The 'PayloadUUID' of an identity payload to use as the 'Terminal' identity of the access key. The identity needs to be trusted by the access key. Required if 'NewUserAuthenticationMethods' includes 'AccessKey'. Allowed identity payload types: - 'com.apple.security.pkcs12' - 'com.apple.security.acme' - 'com.apple.security.scep'

The 'PayloadUUID' of a certificate payload for the issuer certificate of the `Terminal` identity of the access key. Other specifications refer to the key as the "Reader CA Public Key". The key must be an elliptic curve key. Required if `NewUserAuthenticationMethods` includes `AccessKey`. The issuer of the Terminal identity of the access key needs to match this certificate, otherwise the device fails the authentication.

If 'true', the system uses the access key in express mode, and doesn't require authentication before use.

If 'true', the system requests the user's profile picture from the SSO extension.

If 'true', the system uses a quicker Authenticated Guest Mode login to Mac behavior. The system erases user data from only select locations in the user home directory after each session completes. Once every eight hours the system erases the full user home directory after a session completes. Turn this on for shared environments that have a high frequency of short sessions.

If 'true', the system enables the PlatformSSO registration process during Setup Assistant on devices running macOS 26 and later. Set this key to 'true' when configuring PlatformSSO before enrollment using the 'com.apple.psso.required' error response.

The claim name to use for the user's account name.

The claim name to use for the user's full name.

The group name.

The group name.

—

The key is an access right value, the value is the group to be associated with that access right.

* AttemptAuthentication Platform SSO authentication is attempted before proceeding. If offline, unlock will continue if the local account password matches. If online and the credential is incorrect, then a successful Platform SSO authentication is required to proceed, even if taken offline. * RequireAuthentication Platform SSO authentication is required before proceeding. If the device is offline and 'AllowOfflineGracePeriod' is enabled, then the offline 'OfflineGracePeriod' is used to determine if the user can proceed or not. If online and the credential is incorrect, then a valid Platform SSO authentication is required to proceed regardless of the 'OfflineGracePeriod'. If the account is not registered for Platform SSO and 'AllowAuthenticationGracePeriod' is enabled, then the 'AuthenticationGracePeriod' is used to determine if the user can proceed or not. * AllowOfflineGracePeriod Allow the use of the 'OfflineGracePeriod' when 'RequireAuthentication' is enabled. If 'AllowOfflineGracePeriod' is not set, then offline access is denied. * AllowAuthenticationGracePeriod Allow the use of the 'AuthenticationGracePeriod' for other local accounts when 'RequireAuthentication' is enabled. The 'AuthenticationGracePeriod' starts when any of the policies have been updated. If 'AllowAuthenticationGracePeriod' is not set, then unregistered account access is denied.

* AttemptAuthentication Platform SSO authentication is attempted before proceeding. If offline, unlock will continue if the local account password matches. If online and the credential is incorrect, then a successful Platform SSO authentication is required to proceed, even if taken offline. * RequireAuthentication Platform SSO authentication is required before proceeding. If the device is offline and 'AllowOfflineGracePeriod' is enabled, then the offline 'OfflineGracePeriod' is used to determine if the user can proceed or not. If online and the credential is incorrect, then a valid Platform SSO authentication is required to proceed regardless of the 'OfflineGracePeriod'. If the account is not registered for Platform SSO and 'AllowAuthenticationGracePeriod' is enabled, then the 'AuthenticationGracePeriod' is used to determine if the user can proceed or not. * AllowOfflineGracePeriod Allow the use of the 'OfflineGracePeriod' when 'RequireAuthentication' is enabled. If 'AllowOfflineGracePeriod' is not set, then offline access is denied. * AllowAuthenticationGracePeriod Allow the use of the 'AuthenticationGracePeriod' for other local accounts when 'RequireAuthentication' is enabled. The 'AuthenticationGracePeriod' starts when any of the policies have been updated. If 'AllowAuthenticationGracePeriod' is not set, then unregistered account access is denied.

* AttemptAuthentication Platform SSO authentication is attempted before proceeding. If offline, unlock will continue if the local account password matches. If online and the credential is incorrect, then a successful Platform SSO authentication is required to proceed, even if taken offline. * RequireAuthentication Platform SSO authentication is required before proceeding. If the device is offline and 'AllowOfflineGracePeriod' is enabled, then the offline 'OfflineGracePeriod' is used to determine if the user can proceed or not. If online and the credential is incorrect, then a valid Platform SSO authentication is required to proceed regardless of the 'OfflineGracePeriod'. If the account is not registered for Platform SSO and 'AllowAuthenticationGracePeriod' is enabled, then the 'AuthenticationGracePeriod' is used to determine if the user can proceed or not. * AllowOfflineGracePeriod Allow the use of the 'OfflineGracePeriod' when 'RequireAuthentication' is enabled. If 'AllowOfflineGracePeriod' is not set, then offline access is denied. * AllowAuthenticationGracePeriod Allow the use of the 'AuthenticationGracePeriod' for other local accounts when 'RequireAuthentication' is enabled. The 'AuthenticationGracePeriod' starts when any of the policies have been updated. If 'AllowAuthenticationGracePeriod' is not set, then unregistered account access is denied. * AllowTouchIDOrWatchForUnlock Allow TouchID or Watch to unlock the screensaver instead of Platform SSO authentication when 'RequireAuthentication' is enabled.

A local account username.

An authentication method to use for newly created accounts at login or during 'Setup Assistant'. Allowed values: - 'Password': The account uses a password for authentication. - 'SmartCard': The account uses a smart card for authentication. - 'AccessKey': The account uses an access key for authentication.

The token this device uses for registration with Platform SSO. Use it for silent registration with the Identity Provider. Requires that 'AuthenticationMethod' in 'PlatformSSO' isn't empty. Available in macOS 13 and later.

A host or domain name, with or without a leading dot.

An http or https URL prefix.

The bundle identifier of the app.

If 'false', the system doesn't allow saving passwords in the keychain.

If 'false', the system disables password changes. Available in macOS 10.15 and later.

If 'true', the system requires this configuration uses a TGT from Platform SSO instead of requesting a new one. Available in macOS 13 and later.

If 'true' and 'usePlatformSSOTGT' is 'true', the system allows the user to manually sign in. Available in macOS 13 and later.

If 'true', the Kerberos Extension handles Kerberos requests only. It doesn't check for password expiration, show the password expiration in the menu, check for external password changes, perform password sync, or retrieve the home directory. Available in macOS 13 and later.

The GSS name of the Kerberos cache to use. Rarely set by an administrator.

The PayloadUUID of a PKINIT certificate.

A list of bundle IDs allowed to access the ticket-granting ticket (TGT).

Bundle IDs allowed to access the TGT. These values are case sensitive.

This setting affects how other processes use the Kerberos Extension credential. Allowed values: - 'always': The system always uses the credential if the SPN matches the Kerberos Extension 'Hosts' array and the caller hasn't specified another credential. However, the system won't use the credential if the calling app isn't in the 'credentialBundleIDACL'. - 'whenNotSpecified': The system only uses the extension credential if the SPN matches the Kerberos Extension 'Hosts' array. However, the system won't use the credential if the calling app isn't in the 'credentialBundleIDACL'. - 'kerberosDefault': The system uses the default Kerberos processes to select credentials, and normally uses the default Kerberos credential. This is the same as turning off this capability. Available in macOS 11 and later.

The custom user name label used in the Kerberos extension instead of "Username," such as "Company ID". Available in macOS 11 and later.

If 'true', the system doesn't prompt the user to setup the Kerberos extension until either the administrator enables it with the 'app-sso' tool or the system receives a Kerberos challenge. Available in macOS 11 and later.

The text to display to the user at the bottom of the Kerberos Login Window. You can also use this to display help information or disclaimer text. Available in iOS 14 and later, and macOS 11 and later.

Specifies whether this is the default realm if there's more than one Kerberos extension configuration.

If 'true', the Kerberos extension allows only managed apps to access and use the credential. This is in addition to the 'credentialBundleIDACL', if you specify that value. Available in iOS 14 and later, and macOS 12 and later.

If 'true', the Kerberos extension allows the standard Kerberos utilities including 'TicketViewer' and 'klist' to access and use the credential. This is in addition to 'includeManagedAppsInBundleIdACL' or the 'credentialBundleIdACL', if you specify those values. Available in macOS 12 and later.

If 'false', the system requests the credential on the next matching Kerberos challenge or network state change. If the credential is expired or missing, the system creates a new one. Available in macOS 11 and later.

The principal (username) to use. You don't need to include the realm.

The ordered list of preferred Key Distribution Centers (KDCs) to use for Kerberos traffic. Use this if the servers aren't discoverable through DNS. If the servers are specified, then the system uses them for both connectivity checks and attempts to use them first for Kerberos traffic. If the servers don't respond, the device falls back to DNS discovery. Format each entry the same as it would be in a 'krb5.conf' file, for example: - 'adserver1.example.com' - 'tcp/adserver1.example.com:88' - 'kkdcp://kerberosproxy.example.com:443/kkdcp'

A host or domain name in the format of [protocol/]hostname[:port][/path]

This URL will launch in the user's default web browser when they initiate a password change. Available in macOS 10.15 and later.

The number of days prior to password expiration when the system sends a notification of password expiration to the user. Available in macOS 10.15 and later.

The number of days that the system allows using passwords on this domain. For most domains, this calculation is automatic. Available in macOS 10.15 and later.

If 'true', the system requires passwords to meet Active Directory's definition of "complex". Available in macOS 10.15 and later.

The number of prior passwords that the system disallows reuse on this domain. Available in macOS 10.15 and later.

The minimum length of passwords on the domain.Available in macOS 10.15 and later.

The minimum age of passwords before the system allows changing them on this domain. Available in macOS 10.15 and later.

The text version of the domain's password requirements. Only for use if 'pwReqComplexity' or 'pwReqLength' aren't specified. Available in macOS 10.15 and later.

The RTF file formatted version of the domain's password requirements. Only for use if 'pwReqComplexity' or 'pwReqLength' aren't specified. Available in macOS 15 and later.

The time, in seconds, required to replicate changes in the Active Directory domain. The Kerberos extension uses this when checking password age after a change. Available in macOS 11 and later.

Require that LDAP connections use TLS. Available in macOS 11 and later.

If 'true', the system requires the user to provide Touch ID, Face ID or their passcode to access the keychain entry.

The name of the Active Directory site the Kerberos extension should use. Most administrators don't need to modify this value, as the Kerberos extension can normally find the site automatically.

If 'false', the system disables password sync. Note that this will not work if the user is logged in with a mobile account. Available in macOS 10.15 and later.

If 'false', the Kerberos extension doesn't automatically use LDAP and DNS to determine its AD site name.

A custom domain-realm mapping for Kerberos. The system uses this when the DNS name of hosts doesn't match the realm name. Most administrators don't need to customize this.

The key should be the name of the realm, and the value is an array of DNS suffixes that map to the realm.

Domains to map to the realm

Domains to map to the realm

—

Enable SSO for specific apps

Enable SSO for all apps with a specific bundle ID prefix

Disable SSO for specific apps

Enable SSO through cookies for a specific application

—

—

—

—

A string with wildcards that can use used to filter the list of available SmartCards by issuer. e.g "\*My CA2\*". If there is one remaining, it will be auto-selected. If there more than one remaining, then the list is shorter. Available in macOS 15 and later.

If 'true', allow the user to switch the user interface to SmartCard mode. Available in macOS 15 and later.

If 'true', allow the user to switch the user interface to Password mode. Available in macOS 15 and later.

If 'true', the user interface will start in SmartCard mode. Available in macOS 15 and later.

Bundle IDs allowed to access the TGT. These values are case sensitive.

A host or domain name in the format of [protocol/]hostname[:port][/path]

The key should be the name of the realm, and the value is an array of DNS suffixes that map to the realm.

Domains to map to the realm

Domains to map to the realm

The Platform SSO authentication method to use with the extension. Requires that the SSO Extension also support the method.

If 'true', the system uses the same signing and encryption keys for all users. Only supported on the device channel.

The display name for the account in notifications and authentication requests.

The duration, in seconds, until the system requires a full login instead of a refresh. The default value is 64,800 (18 hours). The minimum value is 3600 (1 hour).

Enables creating users at the Login Window with an 'AuthenticationMethod' of either 'Password' or 'SmartCard'. Requires that 'UseSharedDeviceKeys' is 'true'.

Enables using identity provider accounts at authorization prompts. Requires that 'UseSharedDeviceKeys' is 'true'. The system assigns groups using 'AdministratorGroups', 'AdditionalGroups', or 'AuthorizationGroups'.

The attribute mapping to use when creating users, or for authorization.

The claim name to use for the user's account name.

The claim name to use for the user's full name.

The permission to apply to newly created accounts at login. Allowed values: - 'Standard': The account is a standard user. - 'Admin': The system adds the account to the local administrators group. - 'Groups': The system assigns groups to the account using 'AdministratorGroups', 'AdditionalGroups', or 'AuthorizationGroups'. - 'Temporary': The system uses a temporary session configuration for newly created accounts at login.

The permission to apply to an account each time the user authenticates. Allowed values: - 'Standard': The account is a standard user. - 'Admin': The system adds the account to the local administrators group. - 'Groups': The system assigns group to the account using 'AdministratorGroups', 'AdditionalGroups', or 'AuthorizationGroups'.

The list of groups to use for administrator access. The system requests membership during authentication.

The group name.

The list of created groups that don't have administrator access.

The group name.

The pairing of Authorization Rights to group names. When using this, the system updates the Authorization Right to use the group.

—

The key is an access right value, the value is the group to be associated with that access right.

The policy to apply when using Platform SSO at FileVault unlock on a Mac with Apple silicon. Applies when 'AuthenticationMethod' is 'Password'. Available in macOS 15 and later.

* AttemptAuthentication Platform SSO authentication is attempted before proceeding. If offline, unlock will continue if the local account password matches. If online and the credential is incorrect, then a successful Platform SSO authentication is required to proceed, even if taken offline. * RequireAuthentication Platform SSO authentication is required before proceeding. If the device is offline and 'AllowOfflineGracePeriod' is enabled, then the offline 'OfflineGracePeriod' is used to determine if the user can proceed or not. If online and the credential is incorrect, then a valid Platform SSO authentication is required to proceed regardless of the 'OfflineGracePeriod'. If the account is not registered for Platform SSO and 'AllowAuthenticationGracePeriod' is enabled, then the 'AuthenticationGracePeriod' is used to determine if the user can proceed or not. * AllowOfflineGracePeriod Allow the use of the 'OfflineGracePeriod' when 'RequireAuthentication' is enabled. If 'AllowOfflineGracePeriod' is not set, then offline access is denied. * AllowAuthenticationGracePeriod Allow the use of the 'AuthenticationGracePeriod' for other local accounts when 'RequireAuthentication' is enabled. The 'AuthenticationGracePeriod' starts when any of the policies have been updated. If 'AllowAuthenticationGracePeriod' is not set, then unregistered account access is denied.

The policy to apply when using Platform SSO at the Login Window. Applies when 'AuthenticationMethod' is 'Password'. Available in macOS 15 and later.

* AttemptAuthentication Platform SSO authentication is attempted before proceeding. If offline, unlock will continue if the local account password matches. If online and the credential is incorrect, then a successful Platform SSO authentication is required to proceed, even if taken offline. * RequireAuthentication Platform SSO authentication is required before proceeding. If the device is offline and 'AllowOfflineGracePeriod' is enabled, then the offline 'OfflineGracePeriod' is used to determine if the user can proceed or not. If online and the credential is incorrect, then a valid Platform SSO authentication is required to proceed regardless of the 'OfflineGracePeriod'. If the account is not registered for Platform SSO and 'AllowAuthenticationGracePeriod' is enabled, then the 'AuthenticationGracePeriod' is used to determine if the user can proceed or not. * AllowOfflineGracePeriod Allow the use of the 'OfflineGracePeriod' when 'RequireAuthentication' is enabled. If 'AllowOfflineGracePeriod' is not set, then offline access is denied. * AllowAuthenticationGracePeriod Allow the use of the 'AuthenticationGracePeriod' for other local accounts when 'RequireAuthentication' is enabled. The 'AuthenticationGracePeriod' starts when any of the policies have been updated. If 'AllowAuthenticationGracePeriod' is not set, then unregistered account access is denied.

The policy to apply when using Platform SSO at screensaver unlock. Applies when 'AuthenticationMethod' is 'Password'. Available in macOS 15 and later.

* AttemptAuthentication Platform SSO authentication is attempted before proceeding. If offline, unlock will continue if the local account password matches. If online and the credential is incorrect, then a successful Platform SSO authentication is required to proceed, even if taken offline. * RequireAuthentication Platform SSO authentication is required before proceeding. If the device is offline and 'AllowOfflineGracePeriod' is enabled, then the offline 'OfflineGracePeriod' is used to determine if the user can proceed or not. If online and the credential is incorrect, then a valid Platform SSO authentication is required to proceed regardless of the 'OfflineGracePeriod'. If the account is not registered for Platform SSO and 'AllowAuthenticationGracePeriod' is enabled, then the 'AuthenticationGracePeriod' is used to determine if the user can proceed or not. * AllowOfflineGracePeriod Allow the use of the 'OfflineGracePeriod' when 'RequireAuthentication' is enabled. If 'AllowOfflineGracePeriod' is not set, then offline access is denied. * AllowAuthenticationGracePeriod Allow the use of the 'AuthenticationGracePeriod' for other local accounts when 'RequireAuthentication' is enabled. The 'AuthenticationGracePeriod' starts when any of the policies have been updated. If 'AllowAuthenticationGracePeriod' is not set, then unregistered account access is denied. * AllowTouchIDOrWatchForUnlock Allow TouchID or Watch to unlock the screensaver instead of Platform SSO authentication when 'RequireAuthentication' is enabled.

The amount of time after the last successful Platform SSO login for using a local account password offline. Required when setting 'AllowOfflineGracePeriod'. Available in macOS 15 and later.

The amount of time after receiving or updating a 'FileVaultPolicy', 'LoginPolicy', or 'UnlockPolicy' that the system can use unregistered local accounts. Required when 'AllowAuthenticationGracePeriod' is set. Available in macOS 15 and later.

The list of local accounts that aren't subject to the 'FileVaultPolicy', 'LoginPolicy', or 'UnlockPolicy'. The accounts don't receive a prompt to register for Platform SSO. Available in macOS 15 and later.

A local account username.

If 'true', the system includes the device UDID and serial number in Platform SSO attestations.

If 'true', the device uses Platform SSO to create the first user account on the Mac during 'Setup Assistant'.

The set of authentication methods to use for newly created accounts at login or during 'Setup Assistant'. The system uses 'Password' and 'SmartCard' if this key isn't present.

An authentication method to use for newly created accounts at login or during 'Setup Assistant'. Allowed values: - 'Password': The account uses a password for authentication. - 'SmartCard': The account uses a smart card for authentication. - 'AccessKey': The account uses an access key for authentication.

The reader group identifier for use with the 'AccessKey'. The value needs to match the configured access key. Required if 'NewUserAuthenticationMethods' contains 'AccessKey'.

The 'PayloadUUID' of an identity payload to use as the 'Terminal' identity of the access key. The identity needs to be trusted by the access key. Required if 'NewUserAuthenticationMethods' includes 'AccessKey'. Allowed identity payload types: - 'com.apple.security.pkcs12' - 'com.apple.security.acme' - 'com.apple.security.scep'

The 'PayloadUUID' of a certificate payload for the issuer certificate of the `Terminal` identity of the access key. Other specifications refer to the key as the "Reader CA Public Key". The key must be an elliptic curve key. Required if `NewUserAuthenticationMethods` includes `AccessKey`. The issuer of the Terminal identity of the access key needs to match this certificate, otherwise the device fails the authentication.

If 'true', the system uses the access key in express mode, and doesn't require authentication before use.

If 'true', the system requests the user's profile picture from the SSO extension.

If 'true', the system uses a quicker Authenticated Guest Mode login to Mac behavior. The system erases user data from only select locations in the user home directory after each session completes. Once every eight hours the system erases the full user home directory after a session completes. Turn this on for shared environments that have a high frequency of short sessions.

If 'true', the system enables the PlatformSSO registration process during Setup Assistant on devices running macOS 26 and later. Set this key to 'true' when configuring PlatformSSO before enrollment using the 'com.apple.psso.required' error response.

The claim name to use for the user's account name.

The claim name to use for the user's full name.

The group name.

The group name.

—

The key is an access right value, the value is the group to be associated with that access right.

* AttemptAuthentication Platform SSO authentication is attempted before proceeding. If offline, unlock will continue if the local account password matches. If online and the credential is incorrect, then a successful Platform SSO authentication is required to proceed, even if taken offline. * RequireAuthentication Platform SSO authentication is required before proceeding. If the device is offline and 'AllowOfflineGracePeriod' is enabled, then the offline 'OfflineGracePeriod' is used to determine if the user can proceed or not. If online and the credential is incorrect, then a valid Platform SSO authentication is required to proceed regardless of the 'OfflineGracePeriod'. If the account is not registered for Platform SSO and 'AllowAuthenticationGracePeriod' is enabled, then the 'AuthenticationGracePeriod' is used to determine if the user can proceed or not. * AllowOfflineGracePeriod Allow the use of the 'OfflineGracePeriod' when 'RequireAuthentication' is enabled. If 'AllowOfflineGracePeriod' is not set, then offline access is denied. * AllowAuthenticationGracePeriod Allow the use of the 'AuthenticationGracePeriod' for other local accounts when 'RequireAuthentication' is enabled. The 'AuthenticationGracePeriod' starts when any of the policies have been updated. If 'AllowAuthenticationGracePeriod' is not set, then unregistered account access is denied.

* AttemptAuthentication Platform SSO authentication is attempted before proceeding. If offline, unlock will continue if the local account password matches. If online and the credential is incorrect, then a successful Platform SSO authentication is required to proceed, even if taken offline. * RequireAuthentication Platform SSO authentication is required before proceeding. If the device is offline and 'AllowOfflineGracePeriod' is enabled, then the offline 'OfflineGracePeriod' is used to determine if the user can proceed or not. If online and the credential is incorrect, then a valid Platform SSO authentication is required to proceed regardless of the 'OfflineGracePeriod'. If the account is not registered for Platform SSO and 'AllowAuthenticationGracePeriod' is enabled, then the 'AuthenticationGracePeriod' is used to determine if the user can proceed or not. * AllowOfflineGracePeriod Allow the use of the 'OfflineGracePeriod' when 'RequireAuthentication' is enabled. If 'AllowOfflineGracePeriod' is not set, then offline access is denied. * AllowAuthenticationGracePeriod Allow the use of the 'AuthenticationGracePeriod' for other local accounts when 'RequireAuthentication' is enabled. The 'AuthenticationGracePeriod' starts when any of the policies have been updated. If 'AllowAuthenticationGracePeriod' is not set, then unregistered account access is denied.

* AttemptAuthentication Platform SSO authentication is attempted before proceeding. If offline, unlock will continue if the local account password matches. If online and the credential is incorrect, then a successful Platform SSO authentication is required to proceed, even if taken offline. * RequireAuthentication Platform SSO authentication is required before proceeding. If the device is offline and 'AllowOfflineGracePeriod' is enabled, then the offline 'OfflineGracePeriod' is used to determine if the user can proceed or not. If online and the credential is incorrect, then a valid Platform SSO authentication is required to proceed regardless of the 'OfflineGracePeriod'. If the account is not registered for Platform SSO and 'AllowAuthenticationGracePeriod' is enabled, then the 'AuthenticationGracePeriod' is used to determine if the user can proceed or not. * AllowOfflineGracePeriod Allow the use of the 'OfflineGracePeriod' when 'RequireAuthentication' is enabled. If 'AllowOfflineGracePeriod' is not set, then offline access is denied. * AllowAuthenticationGracePeriod Allow the use of the 'AuthenticationGracePeriod' for other local accounts when 'RequireAuthentication' is enabled. The 'AuthenticationGracePeriod' starts when any of the policies have been updated. If 'AllowAuthenticationGracePeriod' is not set, then unregistered account access is denied. * AllowTouchIDOrWatchForUnlock Allow TouchID or Watch to unlock the screensaver instead of Platform SSO authentication when 'RequireAuthentication' is enabled.

A local account username.

An authentication method to use for newly created accounts at login or during 'Setup Assistant'. Allowed values: - 'Password': The account uses a password for authentication. - 'SmartCard': The account uses a smart card for authentication. - 'AccessKey': The account uses an access key for authentication.