At Apple, identity resilience supports future security

At Apple, identity resilience supports future security

5gDedicated
Yanac

At Apple, maintaining the highest possible security and privacy across its platforms starts with the standards it supports. 

The company, known for its tight integration between hardware and software, deliberately takes choices that help it promote those priorities — even at the cost of integration with third-party software and services.

It is also true to say that Apple continues to improve and iterate its enterprise offerings. “It’s so great to see the momentum [around Macs in the enterprise],” Jeremy Butcher, who handles business product marketing at Apple, told me last month. “As you know, it’s very intentional.”

Understand the future, look to the past

Apple’s decision to remove kernel extension (kext) support back in 2020 is a perfect illustration. Way back then, the company decided kexts were a potential security problem and gave warning of its intention to remove support from macOS. Some developers complained at the removal — and then we later had the huge CrowdStrike disaster on Windows, which effectively justified Apple’s decision.

While the complaints at Apple’s decision certainly generated volume, and while it is true that the removal of kext support gave some developers problems, the result was improved security across Apple’s ecosystem.

Apple thinks the same way when it comes to identity management across its platforms. That’s because it knows identity is critical to evolving endpoint security architecture, and to build that, you must secure your platforms on the strongest available foundations — particularly for products that support its enterprise presence.

Identity, it’s the answer, don’t you see?

At WWDC 2025, Apple improved Platform Single Sign On, bringing authentication with PSSO into Setup Assistant during Automated Device Enrollment. This hit the market with macOS 26 only a few weeks ago. However, to enjoy this implementation, identity providers must adopt a narrow number of modern frameworks, such as OAuth or OIDC. The idea behind this is that for Identity Providers (IdPs, much used in enterprise security) to deliver optimized platform support across Macs, they must support the latest frameworks. 

That means they can’t rely on custom stacks, as Apple can’t necessarily ensure their security, which means they must support Apple’s Extensible SSO frameworks to deliver seamless sign-on. 

The principle is that if you want to deploy the best possible Apple user experiences, you must align with the company’s decisions around supported frameworks.

Transition is an opportunity

This may all sound a little unfair, but Apple’s focus isn’t on being fair to IdPs, it’s about delivering consistently secure experiences for its users, and, as CrowdStrike showed, strong security cannot exist without strong foundations.

This can be tough news for some businesses, particularly those still enduring the slow but inevitable migration away from their legacy platforms. During that transition it is inevitable some companies will seek a middle ground between Apple’s expression of SSO and the needs of their legacy platforms, even if Apple offers better experiences. Given the company’s track record for making solid security decisions, it seems to me likely to only be a matter of time until IdPs that don’t currently support Apple’s chosen APIs will end up doing so.

Where we are today on that journey is an opportunity, of course. Many in the Apple enterprise focused MDM space will reach out to companies at this point in their transition with compromise solutions that give some of what they need in terms of Apple SSO while also handling noncompliant tech. 

That’s just good business. It’s a profit center for them and can also be seen as a positive reflection of the vibrancy of Apple’s wider enterprise ecosystem and its ability to shape itself to meet ever-emerging enterprise needs. 

Apple’s flexible ecosystem

There’s always going to be money to be made bridging the gap between the central Apple experience and third-party platforms, software, and services. That’s OK, of course, as it means the core Apple experience is maintained, and users like you and I can continue to rely on the platform delivering the best possible security experience. 

Apple’s decision to limit identity provider support to a narrow number of modern frameworks is causing consternation. But, eventually, most of those IdPs will dig a little deeper in their development investment and build solutions Apple can accept — it is important to note that the current macOS that supports recent changes in Apple’s implantation has only been available for a matter of weeks. While we wait for them to catch up, there are plenty of Apple partners ready to help bridge the gap. 

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe. Also now on Mastodon.At Apple, identity resilience supports future security – ComputerworldRead More