Much of my time these days is working on Apple's new Platform SSO and more specifically Okta's implementation of it (Okta Device Access), and I wanted to talk about it a little bit.
We have to go back to basics when talking about this.
-
Computers need to talk to each other (networking) and
-
There needs to be some way to both identify and authorize a computer and a person to access resources.
Sure, you can set up your personal system to access email, but if you then go to ANOTHER computer, you then have to set it up on that computer again, which is... a pain. That's what directory services solves.
A brief history of Apple and directory services
Apple lost the advantage with networking by not pushing TCP/IP earlier, favoring their in-house AppleTalk tech stack. By the time Apple had gotten around to including TCP/IP, Microsoft had already built that into Windows 95 and had built the server architecture that dominated the computing world for the following decades, including Active Directory (AD).
When Steve Jobs came back and brought NeXT with him in 1996-7, they brought Unix and their own directory services (NetInfo). They eventually added an LDAP-based Open Directory in macOS Leopard 10.5, as well as support for connecting to Microsoft's Active Directory servers.
For quite a while, orgs would use some combination of Open Directory and/or AD connectivity. With the advent of SaaS services ('moving things to the cloud') and having mobile devices (laptops and phones), using a direct connection to one of these directory services became a lot more difficult. Apple phased out Open Directory and orgs usually had to utilize a VPN to connect to Active Directory. Apple released tools like Enterprise Connect/Kerberos SSO, and there were 3rd party tools like Centrify and more recently Jamf Connect that provided some level of directory service integration.
Apple announced Platform SSO 3 years ago, promising support for talking directly to identity providers in the cloud. Since then, Microsoft and Okta have provided some level of integration, with others hopefully providing more down the road.
Platform SSO so far
PSSO is still a moving target. It has most of the features that Kerberos SSO did and several others, and both Okta and Microsoft are extending the PSSO landscape to introduce new features that also improve security - Okta released Desktop 2FA and more recently Device Bound SSO. Neither Okta nor Microsoft support Group Management with PSSO yet, which I think will be a game changer in many ways. With Apple's WWDC coming up in early June, it'll be super-interesting to see what new features may be announced with PSSO.
Read more about the features of Platform SSO here.
Platform SSO pluses and minuses
Apple has spent most of their time focusing on the devices themselves, shedding their enterprise products. They dumped the Xserve and other products years ago in order to focus on iOS devices -- their mantra for a long time was (is?) "Apple is not an enterprise company".
Accordingly, in most cases they have relied on 3rd parties to built plugins to extend their products into the enterprise, with a few exceptions, like Exchange support for the iPhone. In recent years, it's not just that 3rd parties have built add-ons to macOS, Apple has built APIs to extend their product into the enterprise that require one or more vendors to develop products for support.
Beyond PSSO (the prime example), there's also things like Declarative Device Management (DDM). Apple is slowly removing the capability for administrators to directly manage devices by means of scripts, and instead requiring controls to come from device management platforms (for better or worse). With Platform SSO you have to deal with 2 - in the case of orgs going full Microsoft stack - or THREE different vendors if you have a support issue - Apple themselves, the MDM provider, and the IdP provider. I have personal experience with this and it is often not-good-times.
I do think that PSSO has a bright future though. Apple is focusing more and more on the enterprise these days, including the release of Apple Business, which provides not only their own MDM to a global audience, but also major improvements to what used to be their Apple Business Manager functions - us Mac nerds are really excited especially the new custom role functions.
What's next?
In another post planned for later, I'll give some tips and tricks on Okta Device Access, including some supportability suggestions.
Recent Dispatches
- Apr 12 — The Tax of Inertia in IT
- Apr 08 — First!!