IBP – HARDEN – MacOS – Single Sign On

✅ Establish a baseline macOS Single Sign‑On (SSO) framework configuration, aligned to Essential Eight – Maturity Level 1.

➡️ This policy lays the groundwork for future identity integration on macOS while intentionally avoiding enforcement or user‑experience disruption at the Initial Baseline Hardening (IBP) stage.

✅ Devices: All macOS devices
🚫 Exclusions: None

➡️ Every enrolled macOS device receives the baseline SSO and login‑window configuration.

✅ macOS platform features:

✅ SSO framework:

➡️ This ensures macOS devices are prepared for future SSO enablement without changing current sign‑in behaviour.

✅ macOS Entra ID SSO extension is installed
✅ Shared Device Mode is disabled
✅ No access control lists configured
✅ No SSO mappings or app associations defined

➡️ Users continue to sign in normally; SSO is not enforced at this stage.

ℹ️ Note: This policy acts as a foundation only. Active SSO enforcement is typically introduced at Maturity Levels 2 or 3.

🚫 Mandatory Single Sign‑On
🚫 Login window obfuscation or user hiding
🚫 Session, shutdown, restart, or sleep restrictions
🚫 Content caching roles
🚫 Domain‑based app associations
🚫 Network or device restrictions

➡️ This is intentional for Maturity Level 1, prioritising usability and stability.

✅ Enabled
✅ Actively applied to all macOS devices
ℹ️ No user‑visible impact

✅ Supports Essential Eight – Identity & Device Foundations (Maturity Level 1)
✅ Establishes a safe baseline for macOS identity integration
ℹ️ Enforced SSO, shared device scenarios, and domain‑based authentication are addressed in Maturity Levels 2 and 3

This device configuration ensures that:

✅ Every macOS device
✅ Is prepared for future Entra ID Single Sign‑On
✅ Without changing how users log in today

This provides a clean, low‑risk identity foundation aligned to Essential Eight Maturity Level 1, enabling controlled uplift to stronger macOS identity and access controls in later maturity stages.