July 16, 2026 Stories worth reading. Perspectives worth sharing.
macOS 27.0 Beta 3 v.2: New Identity APIs, SSO Extension Upgrades, and MDM Security Enhancements
Apple Identity

macOS 27.0 Beta 3 v.2: New Identity APIs, SSO Extension Upgrades, and MDM Security Enhancements

Mo Wasay July 15, 2026 4 min read
macOS 27.0 Beta 3 v.2: New Identity APIs, SSO Extension Upgrades, and MDM Security Enhancements

WHAT APPLE JUST SHIPPED: macOS 27.0 Beta 3 v.2 (26A5378n)

Apple has released macOS 27.0 beta 3 v.2 (build 26A5378n), available to registered developers. This build aligns with developer previews of iOS 18 and macOS 15, but introduces specific updates directly relevant for enterprise authentication, Single Sign-On (SSO) Extension, and MDM policy enforcement.

  • API Update: AuthenticationServices gains refined Passkey and SSO Extension support, with improved error handling and session reliability.
  • Platform Change: Managed Apple IDs now support expanded federation claims (including Entra ID/Okta custom attributes) for device-based access policies.
  • Security Patch: Secure Enclave and LocalAuthentication now enforce stricter biometric fallback settings, mitigating known bypass vectors.

Version Requirements

  • macOS 27.0 beta 3 v.2 required for new SSO Extension features, Passkey API improvements, and updated MDM payloads.
  • Apple Business Manager and MDM solutions must support macOS 27.0 device profiles for full feature compatibility.

WHAT’S COMING: WWDC 2026 Announcements and Previews

  • Federated Managed Apple ID Group Claims: Upcoming ability to map Entra ID/Okta groups directly to Apple Business Manager roles for granular app and device access control.
  • Passkey Sharing Across Managed Apple ID Tenants: Apple previewed cross-tenant passkey portability for enterprise users, allowing secure credential migration during org transitions.
  • Declarative Device Management Expansion: More granular restrictions and identity-based configuration delivery will become available, driven by new Apple MDM protocol capabilities in macOS 27+.
  • Private Email Relay for Enterprise Apps: Apple will extend Hide My Email and Private Relay to enterprise and education app contexts, improving privacy for managed users.

WHY THIS IS BETTER: Concrete Improvements

  • SSO Extension Reliability: New session management APIs prevent frequent token expiry and re-auth prompts, reducing friction for SSO apps and browser extensions.
  • Federation Flexibility: Expanded Managed Apple ID claims allow IT to enforce device compliance and role-based restrictions without complex scripting or external policy engines.
  • Biometric Security: Enhanced LocalAuthentication fallback settings ensure Face ID/Touch ID are not silently bypassed, closing compliance gaps for regulated fleets.
  • Declarative Management: Push-based device configuration reduces MDM traffic and speeds up enforcement, compared to legacy polling models.
  • Compared to Android/Windows: Apple’s platform authenticator APIs now offer parity with Google’s FIDO2 (but with built-in biometric enforcement and device attestation), and SSO Extension is more tightly integrated than Windows Hello for Business.

HOW TO IMPLEMENT OR RESPOND

For Developers: Updated AuthenticationServices Integration

To leverage new Passkey session APIs and improved SSO Extension error handling in macOS 27.0 beta 3:

import AuthenticationServices

class AuthCoordinator: NSObject, ASAuthorizationControllerDelegate {
    func startPasskeySignIn() {
        let request = ASAuthorizationPlatformPublicKeyCredentialProvider().createCredentialRegistrationRequest()
        let controller = ASAuthorizationController(authorizationRequests: [request])
        controller.delegate = self
        controller.performRequests()
    }
    
    func authorizationController(_ controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) {
        if let passkeyCredential = authorization.credential as? ASAuthorizationPlatformPublicKeyCredentialRegistration {
            // Handle registration for passkey
            print("Passkey registered: \(passkeyCredential.credentialID)")
        }
    }
    
    func authorizationController(_ controller: ASAuthorizationController, didCompleteWithError error: Error) {
        // New error codes in macOS 27.0
        print("SSO/Passkey error: \(error.localizedDescription)")
    }
}

For IT Admins: MDM Profile for Enhanced Biometric Enforcement

To enforce stricter biometric fallback and SSO Extension configuration for macOS 27.0:




 
  PayloadContent
  
   
    PayloadType
    com.apple.localauthentication
    PayloadVersion
    1
    BiometricRequired
    
    BiometricFallbackAllowed
    
   
   
    PayloadType
    com.apple.ssoextension
    PayloadVersion
    1
    ExtensionIdentifier
    com.company.sso
    ExtensionConfiguration
    
      SessionTimeout
      3600
      TokenRefresh
      
    
   
  
  PayloadType
  Configuration
  PayloadVersion
  1
  PayloadIdentifier
  com.company.mdmprofile
  PayloadUUID
  UUID-GOES-HERE
  PayloadDisplayName
  Enhanced Biometric & SSO Policies
 

For Security Engineers: Auditing Passkey and SSO Extension State

Check device compliance and Passkey registration status:

sudo profiles status -type configuration
sudo dscl . -read /Users/$USER AuthenticationAuthority
# Check SSO Extension logs
log show --predicate 'subsystem == "com.apple.ssoextension"' --last 1d

WHAT TO CHECK

  • Apple Business Manager: Confirm new Managed Apple ID group mappings in the “Accounts” → “Federation” portal.
  • MDM Console: Verify biometric and SSO Extension policies are applied to macOS 27.0 test devices.
  • Device: Test Passkey registration and sign-in; ensure fallback to password is blocked if policy set.
  • Developer: Validate new AuthenticationServices error codes (ASAuthorizationError.Code) appear in logs and UI.

BOTTOM LINE

macOS 27.0 beta 3 v.2 introduces foundational identity and security updates for enterprise fleets. IT admins must update MDM profiles to leverage biometric policy enforcement, and developers should integrate new AuthenticationServices APIs now. Prepare for upcoming Managed Apple ID group mapping and cross-tenant passkey migration for seamless, secure user transitions.