July 1, 2026 Stories worth reading. Perspectives worth sharing.
iPadOS 18.6 Beta 3: New Identity APIs, Platform SSO Tweaks, and Managed Apple ID Federation Updates
Apple Identity

iPadOS 18.6 Beta 3: New Identity APIs, Platform SSO Tweaks, and Managed Apple ID Federation Updates

Mo Wasay June 30, 2026 5 min read
iPadOS 18.6 Beta 3: New Identity APIs, Platform SSO Tweaks, and Managed Apple ID Federation Updates

What Apple Just Shipped: iPadOS 18.6 Beta 3 Deep Dive

Apple released iPadOS 18.6 beta 3 (build 23G5052d) for developers. This update contains important identity and security revisions, targeting Platform SSO, Passkeys, Managed Apple ID federation, and MDM controls. If you manage iPads in a federated Apple Business Manager (ABM) environment or integrate authentication in your iPad apps, you need to review these changes now.

Key iPadOS 18.6 Beta 3 Identity & Security Updates

  • Platform SSO: Expanded token mapping for SSO extensions; improved MDM profile enforcement for extension payloads; bug fixes for Kerberos ticket renewal on iPad.
  • Passkeys: Upstream sync reliability improvements for iCloud Keychain, critical to FIDO2 workflows in enterprise deployments.
  • Managed Apple ID Federation: ABM/ASM federation with Entra ID and Okta now supports SCIM attribute mapping for department/unit sync.
  • MDM Protocol: New restriction keys for passkey autofill and SSO extension management; improved declarative device management reporting for identity status.

What’s Coming: WWDC 2024 Announcements and Developer Previews

Developers and IT admins should prepare for these upcoming features, now available in developer betas:

  • Sign in with Apple for Enterprise (Preview): Allows custom authentication flows with Managed Apple IDs and federated identity providers. OIDC-based, currently in limited beta.
  • Declarative Device Management (DDM) for SSO Extensions: MDM vendors can now declaratively specify required SSO extension state, reducing race conditions.
  • Passkey Sharing Across Platforms: Passkeys created on iPad can be provisioned for use on Windows PCs via iCloud.com, closing a major cross-platform gap.

Why This Is Better: Technical Improvements Over Previous Releases

  • Platform SSO on iPadOS 18.6 fixes session persistence bugs that previously required user re-authentication after device sleep; SSO now persists through both device restarts and network transitions.
  • Passkey Sync fixes address major reliability issues where FIDO2 credentials failed to sync between iPads and iPhones enrolled in the same Managed Apple ID account, a critical compliance factor in regulated environments.
  • Federated Managed Apple ID enhancements reduce admin overhead by syncing SCIM attributes like department, job title, and manager—essential for granular ABM role assignment without manual mapping.
  • MDM DDM for SSO Extensions eliminates timing bugs where SSO profile updates lagged behind device unlock, tightening device compliance windows.

How to Implement or Respond

1. Update MDM Profiles for Platform SSO Extensions

To leverage improved SSO extension enforcement, update your MDM payloads. Example mobileconfig for Platform SSO with Azure AD:


<dict>
  <key>PayloadType</key>
  <string>com.apple.extensiblesso</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
  <key>PayloadIdentifier</key>
  <string>com.example.sso.azuread</string>
  <key>SSOExtensions</key>
  <array>
    <dict>
      <key>Type</key>
      <string>Redirect</string>
      <key>TeamIdentifier</key>
      <string>YOURTEAMID</string>
      <key>ExtensionIdentifier</key>
      <string>com.microsoft.azureauth.sso</string>
      <key>URLs</key>
      <array>
        <string>https://login.microsoftonline.com/</string>
      </array>
    </dict>
  </array>
</dict>

2. Enable and Test Passkey Sync for Managed Apple IDs

Ensure iCloud Keychain is enabled for your Managed Apple IDs in ABM. Then, test passkey registration and sync:

  1. Enroll a test device with a Managed Apple ID.
  2. Register a passkey using Safari on a web property that supports FIDO2/WebAuthn.
  3. Verify the passkey appears on a second device using Settings > Passwords.

3. Map SCIM Attributes in ABM Federated Domains

In Apple Business Manager, navigate to Settings > Accounts > Federation and confirm SCIM attribute mappings:

  • Department (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department)
  • Manager (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager)

This ensures proper role-based access and device assignment.

4. Use Declarative Device Management for SSO Requirements

If your MDM supports DDM, add SSO extension requirements declaratively to guarantee enforcement pre-login. Example snippet:


<dict>
  <key>Identifier</key>
  <string>com.apple.sso.requirement</string>
  <key>Type</key>
  <string>Configuration</string>
  <key>Requirements</key>
  <array>
    <dict>
      <key>SSOExtensionRequired</key>
      <true/>
    </dict>
  </array>
</dict>

What to Check

  • Platform SSO: On a test device, open Settings > Passwords > Platform SSO. Confirm your SSO extension is listed and status is Active. Validate SSO persists through device restart.
  • Passkeys: Register a new passkey in Safari; confirm presence on a second managed device. In the Console app, filter for com.apple.security.keychain logs for sync errors.
  • Federation: In ABM, check Accounts > Users for SCIM-synced attributes (department, manager) on your Managed Apple IDs.
  • MDM: In your MDM console, verify that declarative SSO extension profiles show as Compliant and that no legacy profile conflicts exist.

Bottom Line: Recommendations for Enterprise IT and Developers

  • Update SSO and MDM profiles now to test against iPadOS 18.6 betas, especially if using federated identity providers or SSO extensions.
  • Verify passkey sync and usage with Managed Apple IDs if your environment requires FIDO2 or passwordless auth flows.
  • Map and audit SCIM attributes in ABM to leverage new automation and role assignment features.
  • Monitor developer.apple.com for Sign in with Apple for Enterprise OIDC documentation to prepare for early adoption.

These changes close critical gaps in Apple identity integration for iPad in enterprise environments. Start integration and compliance testing with iPadOS 18.6 betas now to ensure a seamless, secure rollout at general availability.