By: Chris Kunze - Principal Product Manager | Microsoft Intune
Platform single sign-on (SSO) improves how macOS devices establish identity with Microsoft Entra ID, enabling a more secure and streamlined authentication experience. However, completing Platform SSO registration isn’t enough to deliver a fully passwordless workflow. To enable passwordless authentication in Safari, Microsoft Edge, and Google Chrome, the Company Portal AutoFill extension must also be enabled. In many deployments, this step still depends on the user.
Devices may be fully enrolled, and Platform SSO may be successfully registered, yet users can still fall back to entering credentials manually if Company Portal AutoFill is not enabled. At scale, even small manual configuration steps can lead to inconsistent results. The goal of this post is to remove that dependency by automatically enabling AutoFill after Platform SSO registration, so users receive a complete passwordless experience without any additional steps.
The challenge
After Platform SSO is deployed to a macOS device, two conditions must be met before users receive the intended passwordless experience:
- Platform SSO registration must be completed
The device must complete Platform SSO registration with Microsoft Entra ID. - Company Portal AutoFill must be enabled
The Company Portal AutoFill extension must be enabled for supported browsers so credentials can be supplied automatically.
When Platform SSO registration happens after Setup Assistant, the user is prompted through the registration flow and receives a reminder to enable Company Portal AutoFill. However, enabling AutoFill is still a separate manual step that the user must complete. If the user skips or overlooks that step, the device can be successfully registered for Platform SSO while still requiring credentials to be entered manually. The result is a deployment that appears complete but does not consistently deliver the intended passwordless experience or security posture. Authentication should not depend on user action after enrollment.
Especially valuable with the “Enable Registration During Setup” setting
This approach becomes especially impactful when combined with the Enable Registration During Setup setting for Platform SSO. When used with Automated Device Enrollment (ADE), Platform SSO registration can be completed automatically during Setup Assistant before the user reaches the desktop. This helps ensure identity registration completes as part of the provisioning experience rather than requiring additional post-enrollment actions.
Automating AutoFill after Platform SSO registration
After registration has completed, AutoFill often becomes the final remaining step that still depends on user action. To close this gap, you can use a custom script to enable the Company Portal AutoFill extension after Platform SSO registration is complete.
The sample script, Check-PSSO.zsh, available in the GitHub repository, was written by the Intune Customer Experience Engineering team. The script detects when Platform SSO registration has completed on a device and then enables AutoFill automatically.
The script essentially performs four key actions:
- Wait for a user session - The script detects when a user session is active to ensure the device is ready for configuration.
- Verify Platform SSO registration - It confirms that Platform SSO registration has completed successfully before proceeding.
- Detect the AutoFill extension - The script waits until the Company Portal AutoFill extension becomes available on the device.
- Enable AutoFill automatically - Once detected, the script enables AutoFill programmatically, eliminating the need for users to manually configure the setting in System Settings.
All activities are logged locally, providing visibility for auditing and troubleshooting.
Supported browsers
The Company Portal AutoFill extension works with:
- Safari (native support)
- Microsoft Edge (native support)
- Google Chrome (requires Microsoft Single Sign On extension)
Once AutoFill is enabled, users can authenticate across all supported browsers on their macOS device without manually entering passwords.
System requirements
- macOS 15 or later
- Company Portal version 5.2604.0 or later installed on the device
- Platform SSO configured via an Intune SSO extension profile
Deployment via Intune
The Check-PSSO script is deployed using a lightweight, scalable approach aligned with modern macOS management practices.
The recommended method is to package the script as a payloadless PKG with a pre-install script.
High-level steps:
- Build an empty PKG
- Attach the Check-PSSO script as a pre-install script
- Upload the package to Intune
- Assign it as Required
- Verify successful deployment through script logs
Detailed instructions are available in the GitHub repository.
Key Features
Polling with timeouts
The script waits for the required conditions to be met before continuing, including an active user session and completed Platform SSO registration. To avoid indefinite loops in edge-case scenarios, it uses timeouts while polling for those conditions.
Diagnostic logging and auditing
Optional verbose logging provides detailed troubleshooting information and an audit trail confirming AutoFill was enabled. Each run is logged locally under:
/Library/Logs/Microsoft/IntuneScripts/checkPSSO
Clear exit codes
- Exit 0: Success
- Exit 1: Failure
Benefits of automating AutoFill
Automating AutoFill helps ensure users can take advantage of passwordless authentication without additional configuration steps. It reduces reliance on user action, improves deployment consistency, improves security posture, and supports zero-touch provisioning. It also provides admins with verification through centralized logging and reporting.
Get started
If you’ve already deployed Platform SSO, automating AutoFill is a natural next step toward delivering a complete passwordless experience. By removing a manual configuration step that often depends on user action, you can improve consistency and user experience across devices. When combined with the Enable Registration During Setup setting, this helps create a true zero-touch experience from enrollment through authentication.
Learn more
- Platform SSO for macOS
- Company Portal for macOS
- Payloadless Packages in Intune (Tech Community)
- Microsoft shell-intune-samples Repository
Let us know if you have questions by leaving a comment below or reaching out on X @IntuneSuppteam.
Join our community! Discuss real-world scenarios, get expert guidance, connect with peers, and influence the future of Microsoft Security products. Learn more at aka.ms/JoinIntuneCommunity.