Kandji Passport validates the credentials users provide during Mac login against their organization’s cloud-based identity provider (IdP), so those users need just one password for both their local Mac accounts and single sign-on services. When Passport is active on a Mac, the computer sends an authentication request to the identity provider using OpenID Connect every time a user logs in. If the identity provider approves that request, Passport checks to make sure that the IdP credentials match those of the Mac account, then logs the user in. If the Mac account credentials are different, Passport updates them to bring them back in sync with the IdP. Passport is an optional add-on to Kandji that is enabled and configured like any other library item. Once that’s done, the next time users log in they’ll see Passport’s login window, which replaces the macOS login window but preserves the native look and feel. There, they can unlock their computers using their single sign-on credentials. Passport works with OIDC-compliant providers including Okta, OneLogin, and Microsoft Azure. To set up Passport, admins must at a minimum enter the identity provider’s OIDC well-known configuration endpoint and the ID of the OIDC application.
But there are several customization options beyond that. For example, admins can optionally configure user-provisioning settings so that, the first time a user correctly enters their SSO credentials at the login window, Passport can set up a Mac account. Passport can also be configured to respond appropriately if there is already an account on the Mac.
Admins can also specify which users have access to the Mac and whether FileVault's automatic login is enabled. A Store user password option allows Passport to securely change the Mac account password to match the IdP's. Additionally, the Passport login window itself can be customized with company branding, desktop picture, lock message, and more. That customization includes adding a URL for password resets (so all password changes are made directly with the identity provider).