June 23, 2026 Stories worth reading. Perspectives worth sharing.
visionOS 26.6 Beta 2: Identity, Passkey, and SSO Security Updates for Enterprise and Developers
Apple Identity

visionOS 26.6 Beta 2: Identity, Passkey, and SSO Security Updates for Enterprise and Developers

Mo Wasay June 21, 2026 4 min read
visionOS 26.6 Beta 2: Identity, Passkey, and SSO Security Updates for Enterprise and Developers

WHAT APPLE JUST SHIPPED: visionOS 26.6 Beta 2 (23O5743c)

Apple released visionOS 26.6 beta 2 (build 23O5743c), available for developers via Apple Developer downloads. This build is required for testing the latest AuthenticationServices, Passkey, and enterprise SSO Extension APIs, as well as new MDM payload behaviors. The update is relevant for all enterprise and developer environments targeting visionOS devices (Apple Vision Pro).

Key Identity and Security Changes in visionOS 26.6 Beta 2

  • AuthenticationServices Framework Updates: New passkey creation flows, improved error handling, and expanded SSO Extension support.
  • MDM Protocol Enhancements: Updated restrictions payloads for device unlock and biometric policies; support for declarative device management now extends to visionOS.
  • Managed Apple ID Integration: Refined federation behavior for Entra ID and Okta environments; improved SCIM provisioning compatibility.
  • Face ID Integration: Secure Enclave and Face ID APIs updated for visionOS, with improved fallback handling when biometric authentication is unavailable.

WHAT’S COMING: WWDC 2024 Announcements and Beta Features

  • Sign in with Apple Passkey Integration: Starting in visionOS 27 and iOS 18, Apple will support passkey-first flows for Sign in with Apple, reducing friction and improving phishing resistance. Developers should refactor authentication logic to prioritize passkey storage and retrieval.
  • Private Email Relay Enhancements: Apple will allow admins to set policies on Hide My Email usage for Managed Apple IDs. Expect new MDM payloads for granular control in visionOS and iOS 18.
  • Declarative Device Management Expansion: visionOS will support declarative management actions, enabling real-time compliance reporting and policy updates without device polling.
  • Verifiable Credentials in Wallet: Beta APIs for ISO 18013-5 digital IDs and enterprise-issued credentials will be exposed for testing, with full support targeted for visionOS 27.

WHY THIS IS BETTER: Improvements Over Previous APIs and Platforms

  • SSO Extension Improvements: visionOS 26.6 streamlines the SSO login experience, eliminating legacy web-based redirects and enabling native authentication with platform SSO. This outpaces Android’s fragmented identity experience and Windows Hello’s limited enterprise SSO reach.
  • Passkey Support: Enhanced passkey sync via iCloud Keychain allows seamless cross-device authentication, reducing user friction compared to Android’s FIDO2 APIs, which lack universal sync.
  • Declarative Management: Real-time device compliance and policy enforcement for visionOS, previously unavailable, now aligns with iOS/macOS capabilities, giving admins parity across Apple platforms.
  • Managed Apple ID Federation: Improved SCIM and federation flows reduce provisioning errors, an issue that previously caused Managed Apple ID misalignment in Entra ID/Okta/Google environments.

HOW TO IMPLEMENT OR RESPOND

For Developers: Passkey Registration and SSO Extension

Register a passkey using the updated AuthenticationServices API:

import AuthenticationServices

let passkeyCredentialProvider = ASCredentialProviderExtension()
let registrationRequest = ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest(
    relyingPartyIdentifier: "example.com",
    userName: "[email protected]"
)
registrationRequest.challenge = ... // Server-provided challenge

let authorizationController = ASAuthorizationController(authorizationRequests: [registrationRequest])
authorizationController.delegate = self // ASAuthorizationControllerDelegate

authorizationController.performRequests()

For SSO Extension, update your Info.plist to support visionOS:



    com.apple.developer.sso-extension
    
    com.apple.developer.sso-extension-identifiers
    
        com.example.yourapp.ssoextension

For Admins: Enforcing Face ID and Passkey Policies via MDM

Apply updated restrictions with a mobileconfig for visionOS devices:



    PayloadType
    com.apple.device.lock
    PayloadVersion
    1
    AllowBiometricUnlock
    
    AllowPasskeyCreation

To audit device compliance, run:

/usr/bin/profiles status -type configuration

For Managed Apple ID Federation: SCIM Verification

Check provisioning sync in Apple Business Manager:

  1. Login to Apple Business Manager.
  2. Navigate to Settings → Accounts → Federation.
  3. Verify SCIM status and audit recent sync logs.

WHAT TO CHECK: Device and Portal Verification

  • On visionOS device: Confirm SSO extension login flow is native (no redirect), and passkey creation functions end-to-end.
  • Apple Business Manager: Validate Managed Apple ID provisioning and SCIM sync status.
  • MDM Console: Ensure new restrictions payloads are applied and reflected in device compliance reports.

BOTTOM LINE

  • Upgrade test devices to visionOS 26.6 beta 2 for authentication and SSO validation.
  • Developers: Refactor login flows to adopt passkey-first logic and updated SSO Extension APIs.
  • Admins: Review and enforce biometric and passkey policies using new MDM payloads; audit SCIM sync for Managed Apple IDs.
  • Prepare for declarative device management and digital credentials: start pilot testing with visionOS betas and monitor WWDC documentation for API changes.