PSSO got some new things in Sequoia:
New Policies:
FileVaultPolicy: How to cloud login at FileVault login window.
LoginPolicy: How to cloud login at main login window
UnlockPolicy: How to cloud login at lock screen
Timing:
AuthenticationGracePeriod
OfflineGracePeriod
Other:
NonPlatformSSOAccounts
Some UI Changes as well.
Let's talk about the UI changes first. When PSSO is set up with a config profile and an extension in an app, the user is still prompted with a local notification at first login to register the device and user account. However, there is now a new UI that shows info and progress.
There are some changes in the messages in the login window as well. If the policy requires cloud login but it is unavailable, the login window let's you know about it.
Now for the new policies:
The three new poliicies, FileVaultPolicy, LoginPolicy, and UnlockPolicy allow you to specify what is required at FileVault, Login Window and Screen unlock, respectively. Each policy has 3 options:
AttemptAuthentication, RequireAuthentication, AllowOfflineGracePeriod, AllowAuthenticationGracePeriod
UnlockPolicy has an additional option: AllowTouchIDOrWatchForUnlock
From my testing and the naming, AttemptAuthentication doesn't require the cloud service to be successful, but if the authentication is successful, a SSO token will be retrieved. RequireAuthentication stops the authentication if the cloud login fails. AllowOfflineGracePeriod and AllowAuthenticationGracePeriod appear to be 2 different timings you can specify that allow how long between successful cloud logins.
So you can unlock FileVault, LoginWindow, or LockScreen with just the local password if you have authenticated with the Identity Provider within the specified time period.
The UnlockPolicy option AllowTouchIDOrWatchForUnlock allows touch ID or Watch to unlock the lock screen. I haven't tested if that triggers a refresh but may.
Also, when you perform an authentication, you get a local notification each time that lets you know your token has been refreshed.
More testing to do as the new OS beta get released, and I am doing a session at PSU MacAdmins, so if you are interested in all things PSSO, check out my PSSO page. Info on how you can set up your own PSSO server, tutorials for creating a single sign-on extension and adding your own PSSO functionality to your apps.
Posted this as a article on our site as well:
Did some additional FV login testing for PSSO. If you set the policy to require cloud login, it requires successful cloud authentication in order to unlock FV. If the IdP is unreachable (or you are not on ethernet or WPA2 WiFi), you can’t log in. This applies to all user accounts on the Mac, including non-paired local admin accounts. If you add those local-only accounts to NonPlatformSSOAccounts, you can log in to them without the IdP being available.
Timothy Perfitt