July 11, 2026 Stories worth reading. Perspectives worth sharing.
macOS 27 Beta 3: SSO Extension, Managed Apple ID Enhancements, and New Passkey Controls for Enterprise
Apple Identity

macOS 27 Beta 3: SSO Extension, Managed Apple ID Enhancements, and New Passkey Controls for Enterprise

Mo Wasay July 10, 2026 4 min read
macOS 27 Beta 3: SSO Extension, Managed Apple ID Enhancements, and New Passkey Controls for Enterprise

What Apple Just Shipped: macOS 27.0 Beta 3 (26A5378j)

Apple released macOS 27.0 beta 3 (26A5378j) on July 6, 2026. This developer beta introduces:

  • Expanded Single Sign-On Extension (SSO) APIs for enterprise authentication
  • Enhanced Managed Apple ID federation controls aligning with Entra ID, Okta, and Google Workspace
  • Granular passkey management for device compliance and identity workflows
  • New Declarative Device Management payloads for SSO and passkey enforcement
  • Security architecture updates: notarization, LocalAuthentication, Secure Enclave improvements

Beta 3 requires macOS 27.0 (devices released 2022 or later) and Apple Business Manager/MDM platforms supporting the latest beta payloads.

What’s Coming: WWDC26 Announcements and Beta Previews

  • Platform Passkey Restrictions: Admins can now restrict passkey syncing, enforce FIDO2 hardware tokens, or mandate iCloud Keychain for credential storage via MDM.
  • Federated Managed Apple ID Auditing: Robust audit APIs for SCIM-based federation, with cross-provider compliance checks (Entra, Okta, Google).
  • SSO Extension Smart Card Integration: Beta 3 expands SSO Extension to support smart card-backed Kerberos authentication, addressing regulated environments.
  • Declarative Device Management: New payloads for identity enforcement, device attestation, and passkey status reporting.
  • Wallet Digital Credentials: Early support for ISO 18013-5 driver’s licence provisioning and verifiable credential API endpoints.

Why This Is Better: Concrete Advances Over macOS 15–26

  • SSO Extension APIs now enable full app-initiated sign-in with UI/UX parity to native Apple login, previously limited to system-level authentication.
  • Passkey fleet controls fill a gap left by earlier macOS where admins could not restrict platform credential sync, leading to compliance risks.
  • Managed Apple ID federation is now auditable and enforceable via MDM, addressing longstanding gaps in cloud identity lifecycle management.
  • Declarative Device Management payloads allow real-time enforcement and reporting of credential status, reducing drift and manual audit overhead.
  • Smart card support in SSO Extension brings Apple up to parity with Windows Hello for Business in regulated sectors.

Who Is Affected

  • Enterprise IT admins: Managing Apple fleets with ABM/ASM, federated identity, and compliance requirements.
  • Developers: Building apps leveraging SSO Extension, passkey APIs, or integrating with Managed Apple IDs.
  • Security engineers: Responsible for fleet hardening, credential lifecycle, and device attestation.
  • Users: Using passkeys, Managed Apple IDs, or smart card authentication on managed macOS endpoints.

How to Implement or Respond

1. Enforce Passkey Restrictions via MDM (Declarative Device Management)

Push a configuration profile to restrict passkey sync and enforce device credential policies:




  
    PayloadContent
    
      
        PayloadType
        com.apple.passkey.policy
        PayloadDisplayName
        Passkey Enforcement
        PasskeySyncAllowed
        
        FIDO2HardwareTokenRequired
        
      
    
    PayloadType
    Configuration
    PayloadVersion
    1
    PayloadIdentifier
    com.example.passkeypolicy
    PayloadUUID
    ABCDEFGH-1234-5678-90AB-CDEF12345678
    PayloadOrganization
    EnterpriseIT
    PayloadDisplayName
    Passkey Policy
  

2. Integrate SSO Extension with App Authentication

Leverage new SSO Extension APIs in Swift for in-app authentication:


import AuthenticationServices

class AuthManager: NSObject {
    let ssoExtension = ASAuthorizationSingleSignOnExtension()

    func performLogin() {
        let request = ssoExtension.createRequest()
        request.requestedScopes = ["openid", "email"]
        request.providerURL = URL(string: "https://login.contoso.com")!
        request.useSmartCard = true // New in macOS 27

        ssoExtension.performAuthorization(request) { result in
            switch result {
            case .success(let credential):
                // Handle credential, e.g. JWT, assertion
            case .failure(let error):
                // Handle error
            }
        }
    }
}

3. Audit Managed Apple ID Federation Status

Shell audit for SCIM sync status and federated domain health:


# Check federation status in Apple Business Manager
curl -H "Authorization: Bearer $ABM_TOKEN" \
  https://business.apple.com/api/v2/federation/domains | jq '.domains[] | {domain, status, provider}'

4. Device Attestation via Declarative Management

Use new device attestation payloads to verify credential status:



  PayloadType
  com.apple.device.attestation
  EnforceCredentialStatus
  

What to Check

  • Confirm passkey restrictions are active: System Settings → Passwords & Passkeys should show passkey sync disabled and hardware token required.
  • Verify SSO Extension integration: App should present smart card login UI and authenticate via federated provider.
  • Check Managed Apple ID federation: ABM portal Settings → Federation should display domain status and compliance.
  • Validate device attestation: MDM console should report credential status and attestation result per device.

Bottom Line

Prioritise: Immediate testing and staged rollout of passkey restrictions and SSO Extension integration on macOS 27.0 beta 3. Audit Managed Apple ID federation and update Declarative Device Management payloads for credential lifecycle enforcement. These new controls close critical compliance gaps and modernise Apple identity for regulated enterprise fleets.