August 2025 – Scott Croucher

August 12, 2025

Platform SSO for macOS with Microsoft Entra ID

What It Is, Why It Matters, and How to Roll It Out

The Big Picture:

On August 12, 2025, Microsoft officially made Platform SSO for macOS generally available. If you’ve been following along since the Public Preview back in May 2024, you’ll know this is a big deal.

In plain English: this means your users can log in to their Mac with their Microsoft Entra ID and immediately be signed in everywhere they need to be Office apps, browsers, the works without re-entering credentials all day.

It’s cleaner, more secure, and a huge step forward if you’re trying to modernize macOS authentication in a Microsoft-heavy environment.

How It Works:

At the heart of Platform SSO is the Microsoft Enterprise SSO plug-in for Apple devices. On macOS, it lives inside the Intune Company Portal app; on iOS/iPadOS, it’s in Microsoft Authenticator.

Here’s what it does:

Intercepts login requests to Microsoft identity endpoints (OAuth, SAML, WS-Fed — all the usual suspects). Injects a valid sign-in session so the user never sees another login screen. Works even for apps that aren’t written with Microsoft’s MSAL libraries.

To make all this work securely, your device gets a Workplace Join (WPJ) certificate. Think of this as the Mac’s official “I belong to this tenant” ID card.

When the user logs in, the plug-in hands over a Primary Refresh Token (PRT), which then silently authenticates apps and browsers.

Your Authentication Options:

When you enable Platform SSO, you have a choice in how people sign in:

Secure Enclave (passwordless) Uses the Mac’s Secure Enclave to store a cryptographic key bound to the device. Users unlock with Touch ID, and the rest just happens. Strongest option for security and user experience. Smart Card / FIDO2 key Ideal if your org is already using physical tokens or cards. Works with YubiKeys, CAC/PIV cards, etc. Password Sync The user’s Entra ID password becomes their Mac login password. Good for easing people into the new setup without changing habits.

What You Need Before You Start:

macOS 13 or newer (14+ recommended for full feature support) Intune Company Portal version 5.2404.0 or later (newer is better) Devices must be MDM enrolled — Intune, ABM, Jamf, whatever you use Your network must allow Microsoft identity endpoints without breaking TLS

How to Deploy It in Intune:

Here’s the 30,000-foot view of the rollout process:

Create a Platform SSO policy in Intune Go to Devices → Configuration → Create Settings Catalog Policy. Platform: macOS. Configure the “Extensible Single Sign-On” settings. Choose your authentication method (Secure Enclave, Smart Card, or Password). If you’ve got a mix of macOS 13 and 14, set both old and new keys to cover everyone. Deploy the Company Portal app Make sure you’re pushing the latest version to all Macs. Enroll your devices For new hardware, use Apple Business Manager automated enrollment. For existing devices, have users install Company Portal and sign in. Watch for the registration prompt Users will see “Registration required” in macOS notifications. Once they sign in, the Mac gets its WPJ certificate and SSO just works. Verify it’s working On the Mac, check System Settings → Privacy & Security → Profiles for the SSO profile. Remove any old SSO extension profiles to avoid conflicts.

Tips from the Field

Stay up to date several early adopters ran into extra MFA prompts until they upgraded to macOS 15.4.1. Plan your authentication method early switching from password sync to Secure Enclave later can cause a little user confusion. Allow the right network traffic if you’re using a TLS-intercepting proxy, whitelist Microsoft identity URLs.

Why You (and Your Users) Will Like It

For users: No more juggling passwords or signing into each app separately. Touch ID unlocks the Mac and everything else just works. For IT: Cleaner onboarding, fewer password resets, and tighter integration with Conditional Access. For security: Built-in phishing resistance and better compliance with modern Zero Trust strategies.

The Bottom Line

Platform SSO on macOS with Microsoft Entra ID brings Mac authentication up to the same modern standard we’ve had on Windows for a while. It’s smoother for end users, stronger for security teams, and finally gives IT admins a proper, supported way to integrate Macs into an Entra-first environment.

If you’ve been holding off because it was “just in preview” now’s the time to start piloting it.

August 9, 2025August 9, 2025

Why You Probably Don’t Need a VPN on Public Wi-Fi Anymore

For years, tech advice blogs and security gurus have hammered home one warning: “Never use public Wi-Fi without a VPN!”

That advice made sense back in the early 2010s when coffee shop hotspots were the Wild West of open, unencrypted traffic. But times have changed. Thanks to widespread encryption and better default security, the average person no longer needs a VPN just to check email at Starbucks.

Here’s why.

1. HTTPS Is Now Everywhere

In the past, most websites didn’t encrypt your connection. That meant someone on the same Wi-Fi network could “sniff” your traffic and read everything passwords, messages, you name it.

Today, over 95% of web traffic uses HTTPS by default. This encryption happens end-to-end between your browser and the website, even over open Wi-Fi. Your data is scrambled before it ever leaves your device, making it unreadable to anyone nearby.

2. Wi-Fi Encryption Itself Has Improved

Most modern public hotspots (including those in cafes, airports, and hotels) use WPA2 or WPA3 encryption, even if they don’t require a password. This prevents casual eavesdropping and makes it much harder for attackers to spy on your traffic without already compromising the network.

3. The “Evil Twin” Risk Is Overblown

Yes, a determined attacker could set up a fake hotspot with the same name as a legitimate one. But in practice, this is rare and your device will usually warn you if a network’s encryption or certificate doesn’t match expectations. Using HTTPS also prevents fake hotspots from stealing sensitive info, since they can’t decrypt secure traffic.

4. VPNs Can Actually Make You Less Secure

Not all VPNs are trustworthy. Many “free” VPNs log your browsing activity or sell your data. Even some paid VPNs have been caught storing logs despite promising not to. If you route all your traffic through an untrustworthy VPN provider, you’re just trading one potential eavesdropper (the coffee shop) for another (the VPN company).

5. Your Biggest Risks Aren’t From the Wi-Fi Itself

Most modern attacks target your device directly through phishing links, malicious downloads, or compromised apps not by passively sniffing your connection. A VPN won’t protect you from those. Good password hygiene, software updates, and cautious clicking will.

So When Is a VPN Worth It?

Bypassing censorship (e.g., in restrictive countries) Accessing region-locked services Hiding your IP address from the sites you visit

If those aren’t your goals, you can probably skip the VPN for everyday café browsing.

The Bottom Line

A few years ago, using a VPN on public Wi-Fi was basic survival. Today, it’s more of a niche tool. With HTTPS, WPA2/3, and better OS-level protections, your data is already encrypted by default. Focus on real security basics strong passwords, multi-factor authentication, and staying alert to scams and you can sip that latte in peace.

August 8, 2025

Why small business need a disaster recovery plan even with Microsoft 365

Many small business owners breathe a sigh of relief when they move their email, documents, and collaboration tools into Microsoft 365. After all, it’s cloud-based, it’s secure, and it’s managed by one of the biggest technology companies in the world.

But here’s the truth: while Microsoft 365 offers strong infrastructure and uptime guarantees, it’s not a replacement for your own disaster recovery (DR) strategy.

The Misconception: “The Cloud Is My Backup”

Microsoft 365 is designed for availability, not complete data protection from every scenario.

Microsoft’s shared responsibility model makes it clear:

Microsoft is responsible for keeping the platform running and protecting it from hardware failure, natural disasters, and cyberattacks on its own systems. You are responsible for the security, backup, and recovery of your data in the event of accidental deletion, malicious insiders, ransomware, or misconfigurations.

This means if a staff member accidentally deletes an important OneDrive folder, or a disgruntled employee wipes SharePoint files, Microsoft isn’t obligated to restore them beyond limited retention windows — and sometimes, that’s not enough.

Risks Small Businesses Face in Microsoft 365

Even in the cloud, your business is still vulnerable to:

Accidental deletion: Users may delete files or emails and not realise until it’s too late. Malware & ransomware: Syncing infected files can propagate malicious data across your organisation. Malicious insiders: Disgruntled employees may intentionally delete or alter critical business data. Account compromise: Phishing or credential theft could lead to unauthorised access and data theft. Retention gaps: Microsoft’s default retention and recycle bin policies might not meet compliance or recovery needs.

Building a Disaster Recovery Plan Around Microsoft 365

Here’s how a small business can set up a strong DR approach without needing an enterprise IT department.

1. Understand Microsoft’s Retention Policies

Familiarise yourself with the retention capabilities built into Microsoft 365:

Deleted Items & Recycle Bin: Emails and files can often be restored for up to 30–93 days. Litigation Hold & Retention Policies: Available in some plans to preserve data for compliance.

These are a starting point — not a complete safety net.

2. Use a Third-Party Backup Solution

A dedicated Microsoft 365 backup tool is essential. Look for solutions that:

Automatically back up Exchange Online, SharePoint, OneDrive, and Teams data. Offer flexible retention periods (e.g., 1 year, 7 years, or indefinitely). Support granular restores (individual emails, files, or chat messages). Store backups in a different cloud region or even on-premises.

Popular options include Veeam Backup for Microsoft 365, AvePoint Cloud Backup, and Datto SaaS Protection.

3. Implement Strong Access & Security Controls

DR isn’t just about backups — it’s about preventing the disaster in the first place:

Enforce Multi-Factor Authentication (MFA) for all users. Use Conditional Access to restrict sign-ins from risky locations. Regularly review admin accounts and reduce unnecessary privileges.

4. Document Recovery Procedures

In a crisis, you don’t want to figure things out on the fly. Keep a written, accessible plan:

How to restore from Microsoft’s built-in tools. How to access and restore from third-party backups. Contact details for your IT provider or managed service partner.

5. Test Your Recovery Plan

A DR plan is only as good as its last test.

At least twice a year:

Simulate data loss scenarios. Time how long it takes to recover. Review whether recovery points meet your business needs.

The Bottom Line

Microsoft 365 is a powerful platform, but it doesn’t eliminate the need for a disaster recovery plan. For small businesses, the cost of downtime or data loss can be devastating — both financially and reputationally.

By combining Microsoft 365’s built-in features with a third-party backup solution, well-defined recovery procedures, and regular testing, you can ensure your business can bounce back quickly from the unexpected.

In the cloud or not, disaster recovery is still your responsibility — and your safety net.

If you want, I can also prepare a step-by-step checklist small businesses can follow to implement this plan in under a week, so it’s both practical and affordable.