All you need to know about Windows Hello for Business + Apple Platform SSO for IT
Windows
Hello for Business is a certificate based login method for Windows and Azure.
The certificate private keys are stored in the trusted platform module (TPM)
and are unlocked with biometrics or PIN. The device/TPM are something you own
and the fingerprint/PIN are something you know. This is one of the most
security available methods to login and is also a better user experience as the
user has to enter their passwords or MFA significantly less.
Platform
SSO is the equivalent of WH4B for Apple. It stores the certificate in the
secure enclave and it also adds 'device compliance' state to Apple.
These
two combined will address 2 of the top 3 security risks in our environment.
Windows Hello for Business (WH4B) tips for Helpdesk
- WH4B enrolment occurs when a user logs in
- If a user already has Hello for Business enabled, fingerprint/pin sign-in but doesn't work for Azure login; run this command to wipe the existing Hello for Business and allow enrolment of WH4B -
certutil.exe
-DeleteHelloContainer
- Enrolment can only happen on premise
- Once the enrolment is complete, this takes over the MFA process for most SSO services, the user should rarely be prompted for MFA
- When the user logs in (with pin, fingerprint or face), this essentially is the MFA login to Office365
- WH4B is phishing resistant MFA; it can't be intercepted by hackers
- The biggest caveat is remote desktop login. While it fingerprint/pin/face appear in remote desktop as login methods, this doesn’t work. The user needs to select user login and use their email address as the username.
Platform SSO tips for Helpdesk
- Company Portal app must be installed, but never needs to be opened
- If the login prompt doesn't pop up (can happen with external monitor attached), click on the date & date in your mac's taskbar to open the notification centre and it should be waiting
- After the enrolment process is complete the device must be rebooted before its activated
- Enrolment can only happen on premise
- Platform SSO takes over login for most SSO services, the user should rarely be prompted for MFA
- Platform SSO is phishing resistant MFA; it can't be intercepted by hackers
- Platform SSO enables automatic login to some windows systems like fileshares
-
Reset platform SSO by going to Settings > Users & Groups > 'i' on username > Registration Repair