macOS 27 Beta 3: SSO Extension, Managed Apple ID Enhancements, and New Passkey Controls for Enterprise

What Apple Just Shipped: macOS 27.0 Beta 3 (26A5378j)
Apple released macOS 27.0 beta 3 (26A5378j) on July 6, 2026. This developer beta introduces:
- Expanded Single Sign-On Extension (SSO) APIs for enterprise authentication
- Enhanced Managed Apple ID federation controls aligning with Entra ID, Okta, and Google Workspace
- Granular passkey management for device compliance and identity workflows
- New Declarative Device Management payloads for SSO and passkey enforcement
- Security architecture updates: notarization, LocalAuthentication, Secure Enclave improvements
Beta 3 requires macOS 27.0 (devices released 2022 or later) and Apple Business Manager/MDM platforms supporting the latest beta payloads.
What’s Coming: WWDC26 Announcements and Beta Previews
- Platform Passkey Restrictions: Admins can now restrict passkey syncing, enforce FIDO2 hardware tokens, or mandate iCloud Keychain for credential storage via MDM.
- Federated Managed Apple ID Auditing: Robust audit APIs for SCIM-based federation, with cross-provider compliance checks (Entra, Okta, Google).
- SSO Extension Smart Card Integration: Beta 3 expands SSO Extension to support smart card-backed Kerberos authentication, addressing regulated environments.
- Declarative Device Management: New payloads for identity enforcement, device attestation, and passkey status reporting.
- Wallet Digital Credentials: Early support for ISO 18013-5 driver’s licence provisioning and verifiable credential API endpoints.
Why This Is Better: Concrete Advances Over macOS 15–26
- SSO Extension APIs now enable full app-initiated sign-in with UI/UX parity to native Apple login, previously limited to system-level authentication.
- Passkey fleet controls fill a gap left by earlier macOS where admins could not restrict platform credential sync, leading to compliance risks.
- Managed Apple ID federation is now auditable and enforceable via MDM, addressing longstanding gaps in cloud identity lifecycle management.
- Declarative Device Management payloads allow real-time enforcement and reporting of credential status, reducing drift and manual audit overhead.
- Smart card support in SSO Extension brings Apple up to parity with Windows Hello for Business in regulated sectors.
Who Is Affected
- Enterprise IT admins: Managing Apple fleets with ABM/ASM, federated identity, and compliance requirements.
- Developers: Building apps leveraging SSO Extension, passkey APIs, or integrating with Managed Apple IDs.
- Security engineers: Responsible for fleet hardening, credential lifecycle, and device attestation.
- Users: Using passkeys, Managed Apple IDs, or smart card authentication on managed macOS endpoints.
How to Implement or Respond
1. Enforce Passkey Restrictions via MDM (Declarative Device Management)
Push a configuration profile to restrict passkey sync and enforce device credential policies:
PayloadContent
PayloadType
com.apple.passkey.policy
PayloadDisplayName
Passkey Enforcement
PasskeySyncAllowed
FIDO2HardwareTokenRequired
PayloadType
Configuration
PayloadVersion
1
PayloadIdentifier
com.example.passkeypolicy
PayloadUUID
ABCDEFGH-1234-5678-90AB-CDEF12345678
PayloadOrganization
EnterpriseIT
PayloadDisplayName
Passkey Policy
2. Integrate SSO Extension with App Authentication
Leverage new SSO Extension APIs in Swift for in-app authentication:
import AuthenticationServices
class AuthManager: NSObject {
let ssoExtension = ASAuthorizationSingleSignOnExtension()
func performLogin() {
let request = ssoExtension.createRequest()
request.requestedScopes = ["openid", "email"]
request.providerURL = URL(string: "https://login.contoso.com")!
request.useSmartCard = true // New in macOS 27
ssoExtension.performAuthorization(request) { result in
switch result {
case .success(let credential):
// Handle credential, e.g. JWT, assertion
case .failure(let error):
// Handle error
}
}
}
}
3. Audit Managed Apple ID Federation Status
Shell audit for SCIM sync status and federated domain health:
# Check federation status in Apple Business Manager
curl -H "Authorization: Bearer $ABM_TOKEN" \
https://business.apple.com/api/v2/federation/domains | jq '.domains[] | {domain, status, provider}'
4. Device Attestation via Declarative Management
Use new device attestation payloads to verify credential status:
PayloadType
com.apple.device.attestation
EnforceCredentialStatus
What to Check
- Confirm passkey restrictions are active: System Settings → Passwords & Passkeys should show passkey sync disabled and hardware token required.
- Verify SSO Extension integration: App should present smart card login UI and authenticate via federated provider.
- Check Managed Apple ID federation: ABM portal Settings → Federation should display domain status and compliance.
- Validate device attestation: MDM console should report credential status and attestation result per device.
Bottom Line
Prioritise: Immediate testing and staged rollout of passkey restrictions and SSO Extension integration on macOS 27.0 beta 3. Audit Managed Apple ID federation and update Declarative Device Management payloads for credential lifecycle enforcement. These new controls close critical compliance gaps and modernise Apple identity for regulated enterprise fleets.