Blog Post

Intune Customer Success
4 MIN READ

Streamlining macOS security: Automatically enable AutoFill after Platform SSO registration

Intune_Support_Team's avatar
Intune_Support_Team
Silver Contributor
Jun 29, 2026

By: Chris Kunze - Principal Product Manager | Microsoft Intune

Platform single sign-on (SSO) improves how macOS devices establish identity with Microsoft Entra ID, enabling a more secure and streamlined authentication experience. However, completing Platform SSO registration isn’t enough to deliver a fully passwordless workflow. To enable passwordless authentication in Safari, Microsoft Edge, and Google Chrome, the Company Portal AutoFill extension must also be enabled. In many deployments, this step still depends on the user.

Devices may be fully enrolled, and Platform SSO may be successfully registered, yet users can still fall back to entering credentials manually if Company Portal AutoFill is not enabled. At scale, even small manual configuration steps can lead to inconsistent results. The goal of this post is to remove that dependency by automatically enabling AutoFill after Platform SSO registration, so users receive a complete passwordless experience without any additional steps.

The challenge

After Platform SSO is deployed to a macOS device, two conditions must be met before users receive the intended passwordless experience:

  • Platform SSO registration must be completed
     The device must complete Platform SSO registration with Microsoft Entra ID.
  • Company Portal AutoFill must be enabled
    The Company Portal AutoFill extension must be enabled for supported browsers so credentials can be supplied automatically.

When Platform SSO registration happens after Setup Assistant, the user is prompted through the registration flow and receives a reminder to enable Company Portal AutoFill. However, enabling AutoFill is still a separate manual step that the user must complete. If the user skips or overlooks that step, the device can be successfully registered for Platform SSO while still requiring credentials to be entered manually. The result is a deployment that appears complete but does not consistently deliver the intended passwordless experience or security posture. Authentication should not depend on user action after enrollment.

Especially valuable with the “Enable Registration During Setup” setting

This approach becomes especially impactful when combined with the Enable Registration During Setup setting for Platform SSO. When used with Automated Device Enrollment (ADE), Platform SSO registration can be completed automatically during Setup Assistant before the user reaches the desktop. This helps ensure identity registration completes as part of the provisioning experience rather than requiring additional post-enrollment actions.

Automating AutoFill after Platform SSO registration

After registration has completed, AutoFill often becomes the final remaining step that still depends on user action. To close this gap, you can use a custom script to enable the Company Portal AutoFill extension after Platform SSO registration is complete.

The sample script, Check-PSSO.zsh, available in the GitHub repository, was written by the Intune Customer Experience Engineering team. The script detects when Platform SSO registration has completed on a device and then enables AutoFill automatically.

Important: Microsoft supports Intune’s ability to deploy scripts, but not the scripts themselves.  Microsoft fully supports Intune and its script deployment capabilities. However, Microsoft does not provide support for individual scripts, including scripts published in Microsoft GitHub repositories. These scripts are provided as examples only. You are responsible for reviewing, validating, and testing their behavior in your environment before deploying them broadly.


The script essentially performs four key actions:

  1. Wait for a user session - The script detects when a user session is active to ensure the device is ready for configuration.
  2. Verify Platform SSO registration - It confirms that Platform SSO registration has completed successfully before proceeding.
  3. Detect the AutoFill extension - The script waits until the Company Portal AutoFill extension becomes available on the device.
  4. Enable AutoFill automatically - Once detected, the script enables AutoFill programmatically, eliminating the need for users to manually configure the setting in System Settings.

All activities are logged locally, providing visibility for auditing and troubleshooting.

Supported browsers

The Company Portal AutoFill extension works with:

Once AutoFill is enabled, users can authenticate across all supported browsers on their macOS device without manually entering passwords.

System requirements

  • macOS 15 or later
  • Company Portal version 5.2604.0 or later installed on the device
  • Platform SSO configured via an Intune SSO extension profile

Deployment via Intune

The Check-PSSO script is deployed using a lightweight, scalable approach aligned with modern macOS management practices.

The recommended method is to package the script as a payloadless PKG with a pre-install script.

High-level steps:

  1. Build an empty PKG
  2. Attach the Check-PSSO script as a pre-install script
  3. Upload the package to Intune
  4. Assign it as Required
  5. Verify successful deployment through script logs

Detailed instructions are available in the GitHub repository.

Key Features

Polling with timeouts

The script waits for the required conditions to be met before continuing, including an active user session and completed Platform SSO registration. To avoid indefinite loops in edge-case scenarios, it uses timeouts while polling for those conditions.

 

Diagnostic logging and auditing

Optional verbose logging provides detailed troubleshooting information and an audit trail confirming AutoFill was enabled. Each run is logged locally under:

/Library/Logs/Microsoft/IntuneScripts/checkPSSO

 

Clear exit codes

  • Exit 0: Success
  • Exit 1: Failure

Benefits of automating AutoFill

Automating AutoFill helps ensure users can take advantage of passwordless authentication without additional configuration steps. It reduces reliance on user action, improves deployment consistency, improves security posture, and supports zero-touch provisioning. It also provides admins with verification through centralized logging and reporting.

Get started

If you’ve already deployed Platform SSO, automating AutoFill is a natural next step toward delivering a complete passwordless experience. By removing a manual configuration step that often depends on user action, you can improve consistency and user experience across devices. When combined with the Enable Registration During Setup setting, this helps create a true zero-touch experience from enrollment through authentication.

Learn more


Let us know if you have questions by leaving a comment below or reaching out on X @IntuneSuppteam.

Join our community! Discuss real-world scenarios, get expert guidance, connect with peers, and influence the future of Microsoft Security products. Learn more at aka.ms/JoinIntuneCommunity.

Updated Jun 29, 2026
Version 2.0