Fix macOS Platform SSO Error 10001 in Intune
macOS Platform SSO error 10001: misconfiguration in the SSOe payload usually means the Mac received a Platform SSO profile, but the payload does not match what Apple’s SSO extension and Microsoft’s Company Portal expect. The device might show a registration prompt that never completes, a Setup Assistant sign-in flow that reports the SSO application is missing, or a profile status that looks healthy in Intune while the user still cannot register.
This is not the place to start deleting Mac records from Entra ID. Treat 10001 as a configuration and sequencing problem first. The fastest fix is to confirm the Intune settings catalog profile, remove competing SSO extension payloads, make sure Company Portal is current, and then force the device through a clean Platform SSO registration path.
Use this runbook when Platform SSO is being deployed to Intune-managed Macs with Secure Enclave, password sync, or smart card authentication and the registration flow fails with 10001 or closely related SSO extension behavior.
What error 10001 means
Microsoft documents 10001: misconfiguration in the SSOe payload as a common Platform SSO error. The two main causes are simple:
- A required setting is missing from the Intune settings catalog profile.
- A setting is configured that does not apply to the selected redirect type payload.
The trap is that admins often mix settings for macOS 13 and macOS 14 or newer. Platform SSO has different authentication settings across those versions. If you manage both macOS 13 Ventura and macOS 14 Sonoma or macOS 15 Sequoia, Microsoft says to use one settings catalog policy and configure the respective authentication settings in the same policy.
There is a second error that often appears in the same rollout: 10002: multiple SSOe payloads configured. That one means multiple SSO extension payloads are applying to the Mac. There should be only one extension profile on the device, and Microsoft expects that profile to be the settings catalog profile. If an older Device Features SSO app extension profile is still assigned, unassign it before you troubleshoot the user.
Platform SSO is delivered through the Microsoft Enterprise SSO plug-in in Company Portal. The Intune policy is only half of the deployment. If Company Portal arrives late, is outdated, or was installed in a broken state, the Mac can have the profile without the component that handles registration.
Quick fix checklist
Work through one affected Mac before changing broad production assignments.
- Confirm the failure text is
10001: misconfiguration in the SSOe payload. - In Intune, open the Platform SSO settings catalog policy and verify the required SSO extension settings are present.
- Check whether you have macOS 13 and macOS 14 or later in the same target group. If yes, configure both version-specific authentication settings in the same policy.
- Remove any older SSO app extension profile created with the Device Features template.
- Confirm Company Portal for macOS is version
5.2404.0or later. Newer is better. - Confirm Company Portal is deployed as a required app before or with the Platform SSO profile, especially during Automated Device Enrollment.
- Make sure the registration token is exactly
{{DEVICEREGISTRATION}}including both sets of braces. - Confirm the user is allowed to join devices to Microsoft Entra ID.
- Exempt Platform SSO registration and token endpoints from TLS inspection.
- Sync the Mac, remove and repair registration if needed, then test registration again.
If the Mac is in Setup Assistant and says the single sign-on application is missing, do not assume the profile is wrong. Microsoft documents a timing condition where the management profile can arrive while Company Portal is still downloading or installing. Retry after Company Portal arrives.
Validate the Intune Platform SSO profile
Start in the Intune admin center:
Intune admin center > Devices > macOS > Configuration > select the Platform SSO policyThe policy should be a settings catalog profile, not only an older SSO app extension profile. Microsoft recommends configuring Platform SSO through the settings catalog and then unassigning any existing SSO app extension profiles created with the Device Features template once the settings catalog policy is working.
Check these items first:
| Setting area | What to verify |
|---|---|
| Extension Identifier | The policy targets Microsoft’s Enterprise SSO extension delivered by Company Portal. |
| Registration Token | The value is {{DEVICEREGISTRATION}}. Missing braces break registration. |
| Authentication Method | macOS 14 and later use the Platform SSO authentication method setting. macOS 13 uses the deprecated authentication method setting. |
| Token to User Mapping | Account name and full name mapping are present. Microsoft recommends com.apple.PlatformSSO.AccountShortName or preferred_username for account name, and name for full name. |
| FileVault Policy | If you use password authentication on macOS 15 or later, review the FileVault policy guidance before testing. |
For most enterprise deployments, Secure Enclave is the better authentication method. Microsoft describes it as passwordless and phishing-resistant. It leaves the local Mac username and password unchanged, then obtains a hardware-backed Primary Refresh Token after the user signs in to the device. Password authentication can reduce password confusion, but it also makes Intune and Entra password policy mismatches much more painful.
If you choose password authentication, compare Microsoft Entra password policy, Intune password policy, macOS local password policy, and compliance password requirements. Microsoft documents a known issue where local MDM password complexity is higher than the Microsoft Entra account’s password requirements. In that case, password synchronization can fail and the user can be denied access.
Remove conflicting SSO payloads
Error 10002 is explicit about profile conflicts, but conflicts can also confuse a 10001 investigation. Look for any older SSO app extension profile assigned through this path:
Intune admin center > Devices > macOS > Configuration profilesSearch for profiles that configure Enterprise SSO, Extensible SSO, redirect payloads, or app extension SSO. If you created a Platform SSO profile in the settings catalog, the older Device Features SSO app extension profile should not still target the same Mac.
On the device, validate the installed profiles:
System Settings > Privacy & Security > ProfilesOpen the Platform SSO profile. You should see the com.apple.extensiblesso profile and the settings you expect, including the authentication method. If two SSO extension payloads exist, remove the older assignment in Intune rather than manually deleting profiles from one Mac. Manual deletion proves the theory, but it does not fix the assignment blast radius.
Give Intune time to update the device. Then run a device sync from Company Portal or the Intune admin center. If the profile state is stuck, collect logs before wiping the Mac. The failure pattern is valuable.
Confirm Company Portal and registration timing
Company Portal is not optional for Platform SSO in this deployment model. Microsoft states that Company Portal for macOS version 5.2404.0 or newer includes Platform SSO. If an older version is installed, Platform SSO fails.
For Automated Device Enrollment, timing matters. A common failure looks like this:
Unable to sign in: Single sign-on application is missingMicrosoft explains that the profile and Company Portal installation can arrive in separate enrollment steps. The management profile can already be present while Company Portal is still downloading. If the user sees this in Setup Assistant, the first action is to retry after Company Portal arrives. If it repeats, review the app deployment and enrollment sequence.
For existing enrolled Macs, deploy Company Portal as a required app and confirm install status before assigning Platform SSO to a large production group. For new Macs, precreate the required app, ADE enrollment profile, and Platform SSO profile before devices enroll.
If Company Portal was updated or installed under odd conditions and Chrome SSO does not work, Microsoft documents a Company Portal reinstall workflow for the browser native messaging file issue. Remove Company Portal, download the current installer, reinstall it, and then restore the browser core JSON file if required. That is a browser SSO fix, not the default fix for every Platform SSO error, but it is useful when registration works and Chrome SSO does not.
Check Entra permissions, MFA, and network inspection
A Mac can receive the Intune profile and still fail registration if Entra device registration is blocked for the user. Microsoft calls out an awkward symptom: if the user has insufficient permissions to complete Microsoft Entra ID join and registration, no error message is shown.
Check the setting here:
Microsoft Entra admin center > Entra ID > Devices > Overview > Device SettingsUnder Microsoft Entra ID join and registration settings, verify that the affected users are allowed to join devices to Microsoft Entra. If you restrict registration to selected groups, confirm the test user is in scope and has received the group membership change.
MFA matters too. Microsoft documents that per-user MFA can cause password sync failure during Platform SSO setup. For Platform SSO deployment, use Conditional Access MFA instead of legacy per-user MFA. This is especially important if you picked the password authentication method.
Network inspection is another quiet blocker. Microsoft specifically notes that Platform SSO registration and token acquisition or refresh URLs must be allowed and exempted from TLS interception. If a Mac works on a home network but fails on the corporate network, inspect proxy and TLS inspection policy before changing the SSO profile again.
Repair or re-register the Mac
After the policy is corrected, decide whether the Mac needs a repair or a full removal.
On macOS 14 Sonoma and later, Microsoft documents a repair option:
System Settings > Users & Groups > Network Account Server > Edit > RepairThe user is taken through the same registration flow as the initial registration. Use this when the profile is now correct but registration is damaged.
For macOS 13 Ventura, Microsoft points admins to Company Portal removal from the organization when the device registration has problems or needs deregistration. That is more disruptive, so verify policy and assignment first.
There is also a macOS 15 Sequoia re-registration issue to know about. Microsoft documents a known concurrency issue where AppSSOAgent and AppSSODaemon could corrupt the Platform SSO device configuration. Affected sysdiagnose logs can show:
Error Domain=com.apple.PlatformSSO Code=-1001 "Error deserializing device config."Microsoft notes that Apple confirmed the fix is deployed in macOS 15.3. If users still see frequent re-registration prompts on macOS 15.3 or later, collect sysdiagnose logs and engage Apple support rather than repeatedly rebuilding the Intune profile.
Practical workflow for one broken device
Use this order for a live ticket.
1. Confirm the assigned profiles
In Intune, open the device record and review configuration profile status. Note the Platform SSO policy name, last check-in, and whether any older SSO extension profile is also assigned.
On the Mac, check Profiles under Privacy & Security. Confirm whether one or multiple SSO profiles exist.
2. Confirm Company Portal
Check the installed Company Portal version. If it is older than 5.2404.0, update it. If the device is in ADE, confirm Company Portal is targeted as a required app and not waiting behind another blocking app assignment.
3. Confirm the exact payload
Open the settings catalog profile and check the registration token, authentication method, token mapping, and OS-version-specific settings. Do not create separate competing profiles for macOS 13 and macOS 14 if the same device can receive both.
4. Confirm identity and network prerequisites
Verify Entra device registration permissions, move users away from per-user MFA if password sync is involved, and test from a network path without TLS inspection if registration fails only in one location.
5. Repair registration
After the profile and prerequisites are fixed, use Repair on macOS 14 or later. If the device is macOS 13 or badly wedged, remove the registration using Company Portal and re-register.
6. Collect logs before destructive action
If it still fails, send a Company Portal diagnostic report:
Company Portal > Help > Send diagnostic reportFor Setup Assistant failures, Microsoft documents using Terminal from macOS Recovery to collect sysdiagnose output and Company Portal logs. Capture those before wiping the device, especially if this is a repeatable ADE issue.
Limitations and caveats
Do not promise users that Secure Enclave Platform SSO replaces every local password prompt. After reboot, the user still enters the local account password to access the Mac. Touch ID can be used after that first sign-in. FileVault is one reason the local password still matters.
Do not enable the User Secure Enclave Key biometric policy without checking hardware. Microsoft notes that there is no password fallback for authenticating with the user Secure Enclave key. Users need Touch ID or supported biometric hardware. Enabling the policy after registration also requires admin-driven re-registration.
Do not ignore temporary passwords. Microsoft says temporary passwords issued during reset cannot be synced to the local device. Users should complete the password reset process and use the new password for the Mac workflow.
Do not turn every registration issue into a wipe. Wiping hides whether the cause was profile conflict, stale Company Portal, Entra registration scope, MFA method, or TLS inspection.
Conclusion
10001 is usually an Intune Platform SSO payload problem, not a mystery Mac failure. Start with the settings catalog profile, OS-specific authentication settings, and the {{DEVICEREGISTRATION}} token. Then remove duplicate SSO extension profiles, confirm Company Portal is new enough, and check Entra registration permissions.
Once the policy path is clean, repair the Platform SSO registration on macOS 14 or later, or remove and re-register on macOS 13. If macOS 15 devices keep prompting after the known Apple fix level, collect sysdiagnose and Company Portal logs before you escalate. That evidence is the difference between a one-device workaround and a real fleet fix.