macOS 27.0 Beta 3 v.2: New Identity APIs, SSO Extension Upgrades, and MDM Security Enhancements

WHAT APPLE JUST SHIPPED: macOS 27.0 Beta 3 v.2 (26A5378n)
Apple has released macOS 27.0 beta 3 v.2 (build 26A5378n), available to registered developers. This build aligns with developer previews of iOS 18 and macOS 15, but introduces specific updates directly relevant for enterprise authentication, Single Sign-On (SSO) Extension, and MDM policy enforcement.
- API Update: AuthenticationServices gains refined Passkey and SSO Extension support, with improved error handling and session reliability.
- Platform Change: Managed Apple IDs now support expanded federation claims (including Entra ID/Okta custom attributes) for device-based access policies.
- Security Patch: Secure Enclave and LocalAuthentication now enforce stricter biometric fallback settings, mitigating known bypass vectors.
Version Requirements
- macOS 27.0 beta 3 v.2 required for new SSO Extension features, Passkey API improvements, and updated MDM payloads.
- Apple Business Manager and MDM solutions must support macOS 27.0 device profiles for full feature compatibility.
WHAT’S COMING: WWDC 2026 Announcements and Previews
- Federated Managed Apple ID Group Claims: Upcoming ability to map Entra ID/Okta groups directly to Apple Business Manager roles for granular app and device access control.
- Passkey Sharing Across Managed Apple ID Tenants: Apple previewed cross-tenant passkey portability for enterprise users, allowing secure credential migration during org transitions.
- Declarative Device Management Expansion: More granular restrictions and identity-based configuration delivery will become available, driven by new Apple MDM protocol capabilities in macOS 27+.
- Private Email Relay for Enterprise Apps: Apple will extend Hide My Email and Private Relay to enterprise and education app contexts, improving privacy for managed users.
WHY THIS IS BETTER: Concrete Improvements
- SSO Extension Reliability: New session management APIs prevent frequent token expiry and re-auth prompts, reducing friction for SSO apps and browser extensions.
- Federation Flexibility: Expanded Managed Apple ID claims allow IT to enforce device compliance and role-based restrictions without complex scripting or external policy engines.
- Biometric Security: Enhanced LocalAuthentication fallback settings ensure Face ID/Touch ID are not silently bypassed, closing compliance gaps for regulated fleets.
- Declarative Management: Push-based device configuration reduces MDM traffic and speeds up enforcement, compared to legacy polling models.
- Compared to Android/Windows: Apple’s platform authenticator APIs now offer parity with Google’s FIDO2 (but with built-in biometric enforcement and device attestation), and SSO Extension is more tightly integrated than Windows Hello for Business.
HOW TO IMPLEMENT OR RESPOND
For Developers: Updated AuthenticationServices Integration
To leverage new Passkey session APIs and improved SSO Extension error handling in macOS 27.0 beta 3:
import AuthenticationServices
class AuthCoordinator: NSObject, ASAuthorizationControllerDelegate {
func startPasskeySignIn() {
let request = ASAuthorizationPlatformPublicKeyCredentialProvider().createCredentialRegistrationRequest()
let controller = ASAuthorizationController(authorizationRequests: [request])
controller.delegate = self
controller.performRequests()
}
func authorizationController(_ controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) {
if let passkeyCredential = authorization.credential as? ASAuthorizationPlatformPublicKeyCredentialRegistration {
// Handle registration for passkey
print("Passkey registered: \(passkeyCredential.credentialID)")
}
}
func authorizationController(_ controller: ASAuthorizationController, didCompleteWithError error: Error) {
// New error codes in macOS 27.0
print("SSO/Passkey error: \(error.localizedDescription)")
}
}
For IT Admins: MDM Profile for Enhanced Biometric Enforcement
To enforce stricter biometric fallback and SSO Extension configuration for macOS 27.0:
PayloadContent
PayloadType
com.apple.localauthentication
PayloadVersion
1
BiometricRequired
BiometricFallbackAllowed
PayloadType
com.apple.ssoextension
PayloadVersion
1
ExtensionIdentifier
com.company.sso
ExtensionConfiguration
SessionTimeout
3600
TokenRefresh
PayloadType
Configuration
PayloadVersion
1
PayloadIdentifier
com.company.mdmprofile
PayloadUUID
UUID-GOES-HERE
PayloadDisplayName
Enhanced Biometric & SSO Policies
For Security Engineers: Auditing Passkey and SSO Extension State
Check device compliance and Passkey registration status:
sudo profiles status -type configuration
sudo dscl . -read /Users/$USER AuthenticationAuthority
# Check SSO Extension logs
log show --predicate 'subsystem == "com.apple.ssoextension"' --last 1d
WHAT TO CHECK
- Apple Business Manager: Confirm new Managed Apple ID group mappings in the “Accounts” → “Federation” portal.
- MDM Console: Verify biometric and SSO Extension policies are applied to macOS 27.0 test devices.
- Device: Test Passkey registration and sign-in; ensure fallback to password is blocked if policy set.
- Developer: Validate new AuthenticationServices error codes (
ASAuthorizationError.Code) appear in logs and UI.
BOTTOM LINE
macOS 27.0 beta 3 v.2 introduces foundational identity and security updates for enterprise fleets. IT admins must update MDM profiles to leverage biometric policy enforcement, and developers should integrate new AuthenticationServices APIs now. Prepare for upcoming Managed Apple ID group mapping and cross-tenant passkey migration for seamless, secure user transitions.