Platform SSO and Compliance
I'm at a bit of a loss as to how to resolve my issue. We manage a bunch of Macs. They used to be domain bound which was a legacy setup from years ago and that was just a cluster. Constant issues with password syncs not working and users unable to patch due to secure token passwords not matching user password etc. Vulnerability nightmare for well over a year. So we moved MDMs and switched to using Mosyle Auth for Entra based SSO. Worked well and we have Conditional Access enabled. Sends Compliance info no issues. Now comes where the issues start. We enabled passwordless MFA (Phish resistant MFA). Login process totally broke due to it attempting to use the Auth in place of a password which MacOS does not support. So users had to take multiple extra steps to get to password login and we had constant calls from users about not being able to get in.
So I went down the rabbit hole of Platform SSO instead with the Company Portal extension used for registration. The issue here is that Platform SSO joins the Mac to Entra. Which is step 1 of the setup process. Issue here is that if the device Entra Joins before it Registers it doesn't seem to actually register and so will never pass Compliance status to Entra. Every other part is in place. The login works, the password syncing works, you can see the icon in the menu bar for the account syncing, you go into settings and look under users & groups and see Platform SSO settings. Network Account Server shows Mac SSO Extension as Registered. I run app-sso platform -s and it verifies SSO tokens and all the registrations but still Entra has nothing but the base info and no compliance.
It's not a license issue as all our users have M365 E5 licenses. I'm at a loss as to how to make this all work. seems like compliance works fine for registered only devices but not Entra joined. So stuck between a rock and a hard place. either users can't login and switch to local login or jump through extra steps to switch from auth login to password, or we can't get compliance status because the devices are now Entra Joined instead of registered.
Has anyone managed to get both Platform SSO and Partner Compliance Management integration working?