Skip to content

[API/YAML] macOS setup experience: setup Platform SSO to create local user account with IdP credentials #33262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 10 commits into from
Closed

[API/YAML] macOS setup experience: setup Platform SSO to create local user account with IdP credentials #33262

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
9d1cc37
Update rest-api.md
marko-lisica Sep 22, 2025
daf4187
update mdm.macos_setup to include object for create_local_user_account
marko-lisica Sep 22, 2025
c11b820
update
marko-lisica Sep 22, 2025
cc5212d
update
marko-lisica Sep 22, 2025
ab7a990
update yaml to use paths instead of IDs
marko-lisica Sep 23, 2025
b36fef3
Apply suggestion from @rachaelshaw
marko-lisica Oct 8, 2025
4a9a0b3
Apply suggestion from @marko-lisica
marko-lisica Oct 8, 2025
21f2b18
Apply suggestion from @marko-lisica
marko-lisica Oct 8, 2025
3178bda
Apply suggestion from @rachaelshaw
marko-lisica Oct 8, 2025
dbb0add
Merge branch 'docs-v4.76.0' into 30674-api-changes
marko-lisica Oct 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion docs/Configuration/yaml-files.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -368,6 +368,9 @@ controls:
macos_setup: # Available in Fleet Premium
bootstrap_package: https://example.org/bootstrap_package.pkg
enable_end_user_authentication: true
create_local_user_account:
configuration_profile_path: ../lib/platform-sso.mobileconfig
software_package_path: ../lib/company-portal.package.yml
enable_release_device_manually: true
macos_setup_assistant: ../lib/dep-profile.json
script: ../lib/macos-setup-script.sh
Expand Down Expand Up @@ -442,7 +445,8 @@ The `macos_setup` section lets you control the out-of-the-box macOS [setup exper

- `bootstrap_package` is the URL to a bootstrap package. Fleet will download the bootstrap package (default: `""`).
- `manual_agent_install` specifies whether Fleet's agent (fleetd) will be installed as part of setup experience. (default: `false`)
- `enable_end_user_authentication` specifies whether or not to require end user authentication when the user first sets up their macOS host.
- `enable_end_user_authentication` specifies whether or not to require end user authentication when the user first sets up their macOS host.
- `create_local_user_account` is the object that specifies path to Platform SSO configuration profile and path to SSO extension software package used to automatically create a local user account when the user first sets up their macOS host.
- `enable_release_device_manually` when enabled, you're responsible for sending the [`DeviceConfigured` command](https://developer.apple.com/documentation/devicemanagement/device-configured-command). End users will be stcuk in Setup Assistant until this command is sent.
- `macos_setup_assistant` is a path to a custom automatic enrollment (ADE) profile (.json).
- `script` is the path to a custom setup script to run after the host is first set up.
Expand Down
38 changes: 37 additions & 1 deletion docs/REST API/rest-api.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1194,6 +1194,10 @@ None.
"macos_setup": {
"bootstrap_package": "",
"enable_end_user_authentication": false,
"create_local_user_account": {
"configuration_profile_id": 24,
"software_id": 3876
}
"macos_setup_assistant": "path/to/config.json",
"enable_release_device_manually": false,
"manual_agent_install": false
Expand Down Expand Up @@ -6465,6 +6469,7 @@ _Available in Fleet Premium_
| ------------- | ------ | ---- | -------------------------------------------------------------------------------------- |
| team_id | integer | body | The team ID to apply the settings to. Settings applied to hosts in no team if absent. |
| enable_end_user_authentication | boolean | body | When enabled, require end users to authenticate with your identity provider (IdP) when they set up their new macOS hosts. |
| create_local_user_account | object | See [`create_local_user_account`](#create-local-user-account). `enable_end_user_authentication` must be true |
| enable_release_device_manually | boolean | body | When enabled, you're responsible for sending the [`DeviceConfigured` command](https://developer.apple.com/documentation/devicemanagement/device-configured-command). End users will be stuck in Setup Assistant until this command is sent. |
| manual_agent_install | boolean | body | If set to `true` Fleet's agent (fleetd) won't be installed as part of automatic enrollment (ADE) on macOS hosts. (Default: `false`) |

Expand All @@ -6478,6 +6483,10 @@ _Available in Fleet Premium_
{
"team_id": 1,
"enable_end_user_authentication": true,
"create_local_user_account": {
"configuration_profile_id": 24,
"software_id": 3876,
},
"enable_release_device_manually": true
}
```
Expand All @@ -6486,6 +6495,19 @@ _Available in Fleet Premium_

`Status: 204`

##### create_local_user_account

_Available in Fleet Premium._

Specify Platform SSO configuration profile and SSO extension software.

`create_local_user_account` is an object with the following structure:

| Name | Type | Description |
| --------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| configuration_profile_id | integer | The ID of the Platform SSO configuration profile [added to the team](#list-custom-os-settings-configuration-profiles). |
| software_title_id | integer | The ID of the SSO extension software [added to the team](#list-software) that's available for install. |

Copy link
Member Author

@marko-lisica marko-lisica Sep 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dev note:

  • If the user specifies create_local_user_account object without specifying enable_end_user_authentication as true, throw an error:
    • 'Couldn't edit. "enable_end_user_authentication" is required to enable "create_local_user_account" option.'
  • If the user specifies create_local_user_account object without specifying both required fields, throw an error:
    • 'Couldn't edit. "create_local_user_account" object must include both "configuration_profile_id" and "software_id" fields.'
  • If the user specifies a non-existent configuration_profile_id, throw an error:
    • 'Couldn't edit. Specified "configuration_profile_id" doesn't exist on the team.'
  • If the user specifies a non-existent software_id, throw an error:
    • 'Couldn't edit. Specified "software_id" doesn't exist on the team.'
  • If the user specifies a configuration_profile_id that doesn't have com.apple.extensiblesso PayloadType, throw an error:
    • 'Couldn't edit. The configuration profile must have "com.apple.extensiblesso" PayloadType.'
  • If the user specifies a configuration_profile_id that doesn't include EnableRegistrationDuringSetup set to true, throw an error:
    • 'Couldn't edit. The configuration profile must include "EnableRegistrationDuringSetup" set to true.'
  • If the user specifies a software_id that's already available in GET /api/v1/fleet/setup_experience/software, throw an error:
    • 'Couldn't edit. The software is already selected as setup experience software. Please remove it from there first.'

Copy link
Member Author

@marko-lisica marko-lisica Sep 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dev note:

  • If the user tries to delete software (package), that is already added to create_local_user_account, throw an error (DELETE /api/v1/fleet/software/titles/:software_title_id/available_for_install).
    • 'Couldn't delete. The software is added to "create_local_user_account". Please remove it from there first.'
  • If the user tries to delete a configuration profile that is already added to create_local_user_account, throw an error (DELETE /api/v1/fleet/configuration_profiles/:profile_uuid).
    • 'Couldn't delete. The configuration profile is added to "create_local_user_account". Please remove it from there first.'
  • If the user tries to add a setup experience software that is already added to create_local_user_account, throw an error (PUT /api/v1/fleet/setup_experience/software).
    • 'Couldn't save software. The software is added to "create_local_user_account". Please remove it from there first.'


### Upload an EULA file

Expand Down Expand Up @@ -12234,6 +12256,20 @@ _Available in Fleet Premium_
| Name | Type | Description |
| --------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| enable_end_user_authentication | boolean | If set to true, end user authentication will be required during automatic MDM enrollment of new macOS hosts. Settings for your IdP provider must also be [configured](https://fleetdm.com/docs/using-fleet/mdm-macos-setup-experience#end-user-authentication-and-eula). |
| create_local_user_account | object | See [`mdm.macos_setup.create_local_user_account`](#mdm-macos-setup-create-local-user-account). `enable_end_user_authentication` must be true |

##### mdm.macos_setup.create_local_user_account

_Available in Fleet Premium._

Specify Platform SSO configuration profile and SSO extension software.

`mdm.macos_setup.create_local_user_account` is an object with the following structure:

| Name | Type | Description |
| --------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| configuration_profile_id | integer | The ID of the Platform SSO configuration profile [added to the team](#list-custom-os-settings-configuration-profiles). |
| software_title_id | integer | The ID of the SSO extension software [added to the team](#list-software) that's available for install. |

<br/>

Expand Down Expand Up @@ -12276,7 +12312,7 @@ _Available in Fleet Premium_
]
},
"macos_setup": {
"enable_end_user_authentication": false
"enable_end_user_authentication": false,
}
}
}
Expand Down
Loading