Your macOS zero-touch deployment just got a lot more zero-touch.
Starting the week of May 11, 2026, Microsoft Intune supports completing Platform Single Sign-On (Platform SSO) registration during macOS Automated Device Enrollment (ADE). Users enrolling new Macs now authenticate with their Microsoft Entra ID credentials during the Setup Assistant flow โ and arrive at the desktop with SSO already configured, their local account created, and Entra ID resources accessible immediately.
Here is what changed, why it matters, and what your organization should do about it.
What Changed
Previously, Platform SSO on macOS required a two-phase approach: the device would enroll through ADE, reach the desktop, and then the user would need to complete Platform SSO registration separately โ usually through the Company Portal app or a notification center prompt. This post-enrollment step added friction, required additional user training, and often generated help desk tickets from users who missed or dismissed the registration prompt.
The new workflow collapses these phases into one. When deployed correctly, the following happens during Setup Assistant:
- The device boots and connects to Intune via ADE
- Setup Assistant pauses at the authentication pane (using “Await final configuration”)
- The Company Portal app (5.2604.0+) is pre-installed along with the SSO extension
- The user authenticates with their Microsoft Entra ID credentials
- Local account creation, device enrollment, and Platform SSO registration complete simultaneously
- The user reaches the desktop โ fully provisioned, SSO-ready, with immediate access to Entra ID resources
Prerequisites:
- macOS 26 (Tahoe) or later
- Company Portal 5.2604.0 or later deployed as a line-of-business app
- ADE enrollment policy configured with Setup Assistant and modern authentication
- “Await final configuration” enabled in the ADE policy
- A settings catalog policy with “Enable Registration During Setup” configured
Why This Matters for Enterprise IT
Closing the macOS Zero-Touch Gap
iOS and iPadOS have had true zero-touch enrollment for years. macOS was the outlier โ a platform where devices could enroll automatically but still required manual post-enrollment steps for identity binding. This change closes that gap. For organizations deploying Macs at scale, it means fewer support calls, faster time-to-productivity, and a user experience that actually feels modern.
Phishing-Resistant Authentication from Day One
When combined with the Secure Enclave authentication method, Platform SSO during ADE means users get hardware-bound, phishing-resistant credentials from their very first login. The cryptographic keys stored in the Secure Enclave never leave the device, and users authenticate with Touch ID for day-to-day operations โ no password entry required. This aligns macOS authentication with Windows Hello for Business, enabling a consistent cross-platform passwordless strategy.
Eliminating the Security Gap
Traditional macOS enrollment left a window where devices were enrolled but not yet fully configured for SSO. During that window, Conditional Access policies couldn’t fully evaluate device trust. With Platform SSO during ADE, device registration, user verification, and policy evaluation all happen during the Setup Assistant experience โ before the user ever reaches the desktop.
What Organizations Should Do
If you are planning new macOS deployments:
- Verify your macOS fleet is macOS 26 capable and plan device refreshes accordingly
- Update Company Portal to version 5.2604.0 or later in your Intune app catalog
- Create a settings catalog policy with the Platform SSO configuration, including “Enable Registration During Setup”
- Configure your ADE enrollment policy to use “Setup Assistant with modern authentication” and enable “Await final configuration”
- Assign the settings catalog policy to a static device group (not a user group)
If you already have Platform SSO deployed:
- No immediate migration is required โ existing devices continue to work
- Start using the new workflow for all new device enrollments
- Consider a phased rollout: pilot with IT, then expand to early adopters, then organization-wide
If you are still evaluating macOS enrollment:
- This is the right time to commit. The macOS 26 + Intune + Platform SSO stack is production-ready and closes the last major gaps in macOS enterprise management
What Has NOT Changed
- Existing Platform SSO deployments continue to work without reconfiguration
- Shared Mac scenarios still require per-user registration โ Authenticated Guest Mode (macOS 26) is the right pattern for shared devices, though Microsoft Entra ID support for this feature is not yet available
- Other authentication methods (Smart Card, Password Sync) remain available and function the same way
- The settings catalog policy structure is the same โ you just need to add the “Enable Registration During Setup” toggle
The Bigger Picture
This release is part of a broader trend: Microsoft and Apple are finally closing the feature gap between macOS and other enterprise device platforms. macOS 26 introduced Simplified Setup for Platform SSO, and Intune now fully supports it. The result is a macOS enrollment experience that finally matches what IT teams have come to expect from iOS and Windows.
For organizations committed to Microsoft Entra ID as their identity platform, this is a significant step forward. Platform SSO during ADE delivers on the promise of zero-touch, passwordless, policy-compliant macOS deployments โ and it does it without requiring third-party MDM solutions.
Need Help Navigating Intune Changes? Big Hat Group helps organizations design, deploy, and manage Microsoft Intune environments for Windows, macOS, iOS, and Android โ including Platform SSO configurations, zero-touch enrollment workflows, and conditional access policy design. Contact us to learn how we can support your endpoint management strategy.
Big Hat Group is a Microsoft partner specializing in modern endpoint management, Microsoft Intune, and Microsoft 365 deployments.