Back to Case Studies
Passwordless Authentication

Platform SSO & Identity

How I implemented macOS Platform SSO with Secure Enclave-backed authentication and Jamf Connect, eliminating legacy password-based authentication across the enterprise.

Problem

Patagonia's macOS fleet relied on traditional password-based authentication synced through Jamf Connect. Password resets were consistently the #1 IT ticket driver. Users regularly forgot passwords, got locked out, or used weak credentials. Shared credentials created security risks. Onboarding was slowed by password setup complexity. With 1,500+ Macs in the fleet, the cumulative support cost was significant.

Decision

Adopted Platform SSO with Secure Enclave-backed authentication via Jamf Connect + Entra ID. This lets users authenticate with Touch ID on their Mac, and the Secure Enclave handles token exchange with Entra ID — no passwords stored or transmitted on the device. The architecture leverages Apple's hardware security to create a phishing-resistant authentication flow that also eliminates the password reset support burden.

Architecture: Platform SSO Flow

macOS Device 🔐 Touch ID User biometric auth Secure Enclave Token storage & exchange Jamf Connect Local account creation & sync Password-less enforcement Entra ID Identity provider Token validation Conditional Access MFA policies Platform SSO — Single Sign-On Across All macOS Apps & Services No passwords stored on device · Phishing-resistant · Compliant with Zero Trust architecture Hardware-backed Least-privilege Cloud-native

Implementation

The rollout was phased across four stages:

  • Phase 1 — Jamf Connect Deployment: Deployed Jamf Connect to the entire fleet, establishing Entra ID as the identity provider and enabling local account creation synced with cloud credentials.
  • Phase 2 — Platform SSO Configuration: Configured Platform SSO payloads in Jamf Pro, targeting macOS Ventura+ devices. Registered the SSO extension with Entra ID and scoped to the macOS fleet.
  • Phase 3 — Pilot Group: Rolled out to a 50-user pilot group including IT staff and early adopters. Monitored authentication success rates, ticket volume, and user feedback.
  • Phase 4 — Fleet-Wide Rollout: Deployed to all 1,500+ Macs over 4 weeks. Communication campaign included Slack announcements, documentation, and office hours for questions.

Result

  • Password reset tickets dropped dramatically — no longer the #1 IT ticket driver.
  • Zero credentials stored on-device outside the Secure Enclave.
  • Users authenticate with Touch ID — faster and more secure than typing passwords.
  • Phishing-resistant authentication: hardware-bound tokens can't be stolen remotely.
  • Enabled least-privilege admin access through Jamf Connect's privilege elevation.

Lessons Learned

Change management was critical. Users accustomed to password-based login needed clear documentation and hands-on support during the transition. We learned that Platform SSO requires macOS Ventura minimum, which created a short-term OS upgrade push. Some legacy applications that relied on password-based auth needed compatibility shims. The biggest win: eliminating the psychological burden of password management for end users. The relief was immediate and measurable in ticket volume.

Jamf Connect Platform SSO Entra ID Secure Enclave macOS Touch ID