Passport Compatibility with macOS & Kandji Features

By Corey Willis

To provide the best user experience, you must understand how Passport interacts with other Library Items, Parameters, macOS Features & Applications

When logging in at the Passport Login Window, the full email address should always be used in the username field to ensure the authentication session is connected to the IdP and not local authentication. To avoid confusion with using email addresses at the FileVault Login Window, ensure that the Managed user visibility box is unchecked on the Login Window Library Item. You can read more about this in our Passport Compatibility article.

Library Items

Automated Device Enrollment

When using Passport, select Skip primary account creation under Primary account type. That way, when users arrive at the Passport login screen and log in using their IdP credentials, their Mac account will be provisioned. 

If you do not skip account creation, the device will display an error when attempting to create the local user account.

k8f8u6Spr7hwnVVjxWID1f6C5ccUXurSYw

If using Require Authentication within Automated Device Enrollment and assigning a user to a device record, it is not recommended to prefill initial account creation details.  Passport will use the account details provided upon the user's first login via the Passport login window. 


Passcode

When using Passport, it is highly recommended that the Passcode library item be removed from any Blueprint containing Passport. Your IdP should handle password requirements. If passcode requirements set by your IdP are less restrictive than those set by the Passcode library item, it will result in the user being unable to change their password because it doesn't meet the password requirements of the local Mac.

If you need to enforce the Passcode policies for Require Passcode After Sleep or Screen Saver Begins and/or Start Screen Saver After settings, these are compatible with Passport. If you need to deploy these two settings, ensure that every other Passcode setting is disabled to avoid password sync issues.

Login Window

The Login Window Library Item contains some items that are compatible with Passport.

Compatible Options

The Set lock message option on the Login Window Libray item is compatible with Passport.

The options listed in the Logged in users section of Login Window Libray item are compatible with Passport.


Fast user switching should be disabled for devices running macOS 13 or lower as it does not use Passport authentication when switching. Devices running macOS 14 or newer can use fast user switching with Passport without issues.

Incompatible Options

The items in the Menu Bar section of the Login Window Library Item are incompatible with Passport and should be unchecked.


The items in the User Visibility section of the Login Window Library Item are incompatible with Passport and should be unchecked. The added benefit of unchecking this setting is that users will not have a prompt to enter their username. This will avoid confusion between using their full email address at the Passport Login Window and their local shortname at the FileVault Login Window.


The items in the Options sections of the Login Window Library Item are incompatible with Passport and should be unchecked.


Network & Wi-Fi

In order to contact the IdP, Passport needs network connectivity. It’s common for people to use a portable Mac in various locations that provide a Wi-Fi network that the Mac has not yet joined. Passport displays a Wi-Fi icon in the upper-right corner of the screen. You can click the Wi-Fi icon to join a Wi-Fi network that accepts a password to join the network. At this time, Passport does not support networks that utilize captive portal, click-through authentication, or enterprise networks that require a username and password for 802.1x authentication.

Parameters

Enforce a Custom Policy Banner

If you are using the Enforce a custom policy banner parameter, disable it for any Blueprints containing the Passport library item.

MmE4U0zLM1MPMl4LSEgyFcq8HnWJC_Fvsw

Demote user accounts to Standard

Since Passport evaluates the User account type, and may change it from Administrator to Standard or vice versa, combination with the Demote user accounts to Standard Parameter can cause reboot loops. If provisioning User accounts as administrators in your Passport Library Item, ensure the Demote user accounts to Standard Parameter is not enabled in the same Blueprint. Using the Demote user accounts to Standard Parameter on a Blueprint with Passport assigned is not recommended.

Secure Wi-Fi Settings

Passport requires network connectivity to check user credentials against the IdP. When customizing the login window in Passport, show the network manager so users can join a Wi-Fi network as necessary. The network manager respects AirPort security settings in macOS. You can use the Secure Wi-Fi Settings parameter in Kandji to require local administrator credentials to change networks. If enabled, users will be prompted with a native authentication dialog at the Passport window when switching networks. 

keUTaMwMIKuVWv1jfMiB8onJcJGccAoUEA

To ensure that users can always log in to their Mac computers, Passport will allow them to log in using their IdP credentials when there is no network connectivity.

macOS Features

Migration Assistant

Using Migration Assistant with Passport is not supported. If Migration Assistant was used with Passport, you can follow these steps to resolve the issue. When using migration assistant to migrate data from a device that is enrolled in Kandji, please remove Passport from the device that you are migrating from before attempting a migration. If Passport remains on the device and is migrated to the target device, users may get stuck at the Passport screen and won't be able to proceed.

If you need assistance remediating this situation, please reach out to support.

Managed Apple ID alias

In some situations, a user may be logged in to an Apple ID with an account name that matches the IdP account name. Much like Passport, an alias is created in the local directory to match this Apple ID account name. When the Apple ID matches the IdP account name, a collision can occur that will prevent the user from signing in with the IdP account name.

This collision happens only when the user signs out of the Apple ID. The sign-out process removes the alias for the Apple ID. Since this alias matches the account name used by Passport, it removes the alias for Passport as well.

To resolve this, the alias must be restored. This can be done manually using the Users & Groups pane in System Settings (or System Preferences) or in the Directory Utility app on the local computer.

If you need assistance remediating this situation, please reach out to support.

Mobile Accounts

Passport is compatible with local macOS accounts. Mobile accounts are unsupported. Before using Passport, convert existing mobile accounts to local accounts for successful account merging.