The Crossing's Mosyle-targeted complement to Scott Kendall's
Microsoft-Platform-SSO
(which is Jamf-Pro-focused). Currently contains one script — a per-user,
per-login auto-enabler for two Microsoft Company Portal pluginkit extensions
(SSO + Autofill) — with room to grow as we incorporate more of Scott's
PSSO-related tooling for Mosyle environments.
scripts/EnforcePortalAutofill.sh — a
Mosyle Custom Command that auto-enables Company Portal's SSO and Autofill
extensions for the signed-in user on every login. Both default to off on
Company Portal install, both live behind System Settings → Extensions →
Sharing & Actions, and users almost never toggle them on manually. This
script does both, in the user's session context, at every sign-in.
Posture: polish, not prerequisite. Platform SSO + Entra join + sign-in has been observed to work smoothly on The Crossing's greenfield ADE devices (three intern Macs, 2026-05) without this script in place. Treat this as a quality-of-life / safety-net measure that aligns the user's System Settings panel with documented best-practice configuration, not as a PSSO blocker.
This is a derivative work of Scott Kendall's
Enforce Portal AutoFill.sh,
part of the Microsoft-Platform-SSO
repository. Scott himself describes the script as a "neat little trick" for
the Autofill panel — same posture we've adopted here.
Scott's v1.0.0 → v1.0.3 is the helper itself. The Crossing's v2.0.0 adapts it
for Mosyle (Scott's repo is Jamf-Pro-focused), adds soft-skip semantics
appropriate for "every user sign-in" cadence, and bakes in lessons from prior
Mosyle work (bash -c interpreter pinning, fd-split for the Custom Device
Attribute, structured response format).
License: GPL-3.0-or-later, inherited from upstream. See LICENSE.
| Bundle ID | Purpose | Relationship to PSSO |
|---|---|---|
com.microsoft.CompanyPortalMac.ssoextension |
SSO extension | The user-session SSO extension the legacy "Extensible SSO" model used. Empirically not required for modern Platform SSO with Secure Enclave to function on greenfield ADE devices in our environment. Recommended on for documented-config alignment. |
com.microsoft.CompanyPortalMac.Mac-Autofill-Extension |
Autofill extension | Surfaces Microsoft work credentials into macOS / Safari autofill on Microsoft-authenticated sites and apps. Not a PSSO dependency in any model. UX improvement. |
| File | Purpose |
|---|---|
scripts/EnforcePortalAutofill.sh |
The script Mosyle runs. Paste the contents into a Mosyle Custom Command. |
LICENSE |
GPLv3 license (inherited from upstream). |
docs/EnforcePortalAutofill_v2.0_history.html |
Full session history / decisions / rationale. Read this first before changing the script. |
- Custom Commands → Add new.
- Paste the entire contents of
EnforcePortalAutofill.shinto the Code tab. - Execution Settings:
- Execute command:
Only based on schedule or events - Event: ☑
Every user sign-in(leave the others unchecked)
- Execute command:
- (Optional) Make the command response a Custom Device Attribute. The
script sends a single short summary line, e.g.
result=ok;sso=ok;autofill=ok. - Target: the user groups that should have Company Portal extensions
enforced (currently
Apple TestersandApple Early Adopters; full rollout toApple 1:1 Staffafter validation). - The Company Portal install profile should target the same user groups so timing/scope match.
One line, sent to Mosyle's captured stdout (fd 3 in the script). Format:
result=<ok|partial|skipped|fail>;sso=<ok|missing|fail>;autofill=<ok|missing|fail>[;reason=<short>]
| Scenario | Response |
|---|---|
| Both extensions enabled | result=ok;sso=ok;autofill=ok |
| One extension not yet registered | result=partial;sso=ok;autofill=missing |
| Company Portal not installed | result=skipped;reason=app-not-installed |
| No console user at trigger time | result=skipped;reason=no-console-user |
pluginkit -e use failed |
result=fail;sso=fail;autofill=ok |
If Company Portal isn't installed yet (separate Mosyle profile pushes it), or
its extensions haven't registered with pluginkit yet (Company Portal must
run once in the user session before they appear), the run is a no-op that
exits 0 and retries on the next sign-in. Once both are enabled, subsequent
runs are no-ops with a single "already enabled" log line per extension.
Full per-run log: /var/log/PortalAutofill.log (root-readable). Each run
appends a timestamped block; the response line is the last log entry.
Quickest sanity check on a Mac with Company Portal installed:
# Reset both extensions to disabled (as yourself, not sudo)
pluginkit -e ignore -i com.microsoft.CompanyPortalMac.ssoextension
pluginkit -e ignore -i com.microsoft.CompanyPortalMac.Mac-Autofill-Extension
# Run the way Mosyle will
sudo bash -c "$(cat EnforcePortalAutofill.sh)"
# Confirm both now show '+' (enabled)
pluginkit -m | grep -i companyportalstdout should be exactly one short line. If you see lots of log lines on stdout, the fd-split is broken — see the HTML history doc for the underlying pattern.
Full four-layer testing progression (local bash -c simulation → forced-
branch tests → Mosyle Self-Service dry-run → real login trigger on one
device) is documented in the HTML history doc.
Scott's repo includes two other small scripts that may be useful future companions, but neither is adopted by The Crossing as of v2.0.0:
Open System Setting SSO User.sh— two-line utility that opens System Settings to the current user's pane (useful for self-service "open the SSO repair screen" buttons).Verify Device Compliance via Extensible SSO and Platform SSO.sh— Jamf-specific (callsJamf Conditional Accessbinaries directly); would need substantial rewriting for Mosyle.
- Upstream script (v1.0.0–v1.0.3): Scott Kendall, via the Microsoft-Platform-SSO repository.
- v2.0.0 Mosyle adaptation: Shawn Ross at The Crossing, with Claude Opus 4.7 (Claude Code) pair-programming, 2026-05-27 → 2026-05-28.
- License: GPL-3.0-or-later. See LICENSE.