Device Management
Endpoint Detection & Response
Vulnerability Management
Kai
Liftoff
Prism
Migration Agent
Auto Apps
Passport
Compliance
Assignment Maps
Managed OS
Integrations
Mac
iPhone and iPad
Apple TV
Vision Pro
Financial Services
Technology
Artificial Intelligence
Marketing Agencies
Healthcare & Biotech
Startup
Growth
Enterprise
Resources Hub
Kandji Blog
Customer Stories
Mac Admins Community
Security Details
MDM Comparison Guide
Customer Support
Product Updates
Kandji Status
Customer Login
Register a Deal
Become a Partner
Partner Portal
About Kandji
News & Press
Careers
Contact
Why Kandji?
Fewer Passwords, Fewer Tickets: How Kandji Passport Delivers a Better Login Experience
Kandji Team
Welcome to our latest Demo Day recap, where we explore how Kandji Passport transforms the Mac login experience by allowing users to authenticate with their identity provider credentials. In this session, Solutions Engineer Jim Quilty demonstrated how Passport reduces password-related friction for both users and IT teams while supporting security goals.
Here’s what you need to know about how Passport works, what problems it solves, and how to set it up for your team.
What is Kandji Passport?
Kandji Passport is a native component of the Kandji agent that replaces the default macOS login window with one that authenticates against your identity provider. It synchronizes the identity provider password with the local account, creating a seamless experience for users while maintaining security.
Passport works with several leading identity providers:
- Okta
- Microsoft Entra ID (formerly Azure AD)
- OneLogin
- Google Workspace
The solution is flexible enough to work with both new computers going through automated device enrollment and existing computers with established user accounts.
Key Benefits of Passport
For End Users
- Simplified Login Experience: Users can access their Mac using the same credentials they use for other company resources
- Reduced Password Management: Fewer passwords to remember means fewer forgotten password tickets
- Self-Service Password Resets: Users can update their own credentials without IT involvement
For IT Administrators
- Streamlined Onboarding: Automatically creates user accounts at first login or merges with existing accounts
- Enhanced Security Options: Support for multi-factor authentication at login and options to enforce identity provider authentication
- Centralized Management: Configure and deploy through the Kandji web app for consistent implementation across your organization
- Reduced Support Burden: Fewer password-related tickets and simplified credential management
Passport in Action: User Experience
First-Time Setup with Automated Device Enrollment (ADE)
When a new Mac is enrolled through ADE with Passport configured in the blueprint:
- The Kandji agent installs immediately and takes over authentication
- The user is directed to the Passport login window after enrollment
- The user enters their identity provider credentials
- Passport validates the credentials and creates a new local account
- The user is logged in and ready to work
This process eliminates the traditional account setup steps, making deployment faster and more consistent.
Merging with Existing Accounts
For organizations deploying Passport to an existing fleet, the account merge feature preserves user settings and data:
- When Passport is deployed to a computer with existing accounts, users see the Passport login window after logout or restart
- Users authenticate with their identity provider credentials
- Passport prompts them to merge with an existing local account
- After providing their current local password, the accounts are linked
- The local password is updated to match the identity provider password
This approach ensures a smooth transition without disrupting user workflows or requiring profile migration.
Multi-Factor Authentication Support
When using the web view configuration, Passport supports various multi-factor authentication methods:
- Push notifications
- Security questions
- One-time codes
This adds an extra layer of security at the login window, enforcing your organization's authentication policies directly at the device level.
Self-Service Password Updates
Passport makes password management easier for users:
- Users can access a password reset URL through the Kandji menu bar
- After completing the identity provider's password reset process
- Passport automatically detects the password change
- Users are prompted to update their local password to maintain synchronization
This self-service approach reduces IT tickets while keeping credentials in sync across systems.
Configuring Passport: Administrator Experience
Setting up Passport is straightforward through the Kandji web app:
- Navigate to the Library and add a new Passport library item
- Select your identity provider from the supported options
- Enter the identity provider URL and client ID from your IdP application
- Choose between the Mac native login or web login experience
- Configure user provisioning settings:
- Account type (standard or administrator)
- Account merge behavior
- Access restrictions
- Customize the login window with your organization's branding
- Add a self-service password reset URL
- Configure the help window with support information
Once saved and added to your blueprints, Passport takes over the login window the next time the Kandji agent checks in.
Passport vs. Platform SSO: Understanding the Differences
While Apple's Platform SSO (introduced in macOS Ventura) shares some functionality with Passport, they serve different primary purposes:
Platform SSO
- Primarily provides SSO authentication for websites and applications
- Features vary depending on macOS version
- May require additional licenses from identity providers
- Will see enhancements in macOS Tahoe (announced at WWDC)
Kandji Passport
- Focuses on login experience, user provisioning, and password synchronization
- Offers consistent experience across a wider range of macOS versions
- Included as part of the Kandji platform
For many organizations, Passport provides a more complete solution for managing the entire authentication lifecycle, while Platform SSO may be valuable for application-level authentication once users are logged in.
Implementation Considerations
When deploying Passport, keep these considerations in mind:
Network Connectivity
- The web login option requires network connectivity at login
- Offline authentication is available as a fallback with the Mac native login option
FileVault Integration
- Users typically authenticate twice: once at the FileVault screen and again at login
- FileVault pass-through authentication is available to streamline this process
Account Types
- You can configure accounts as standard users or administrators
- Optionally base account privileges on identity provider group membership
- Account privileges can be automatically adjusted when group membership changes
Multi-User Environments
- Passport can be configured to allow multiple users on a single device
- You can restrict login to only assigned users if needed
Passport Demo Q&A
Q: If using the Passport Mac login, can we suppress the prompt to merge with a local user account?
A: Yes. You can configure the Passport library item to skip the account merge prompt entirely. This is often preferred for Automated Device Enrollment (ADE) setups, while still allowing it for manually enrolled devices using separate Passport configurations.
Q: Can users swap freely between devices? What happens in a shared device environment?
A: Yes. In shared environments, Passport will create a local account for each authenticated user. You can optionally restrict login access to only assigned users if needed, which is useful in lab or limited-access settings.
Q: Can Passport eliminate the need to bind Macs to Active Directory?
A: Yes, that’s a common use case. If you’re leveraging Microsoft Entra ID (formerly Azure AD), Passport can use Entra credentials to log in, removing the need for traditional AD binding.
Q: Does the web login option require internet connectivity?
A: Yes, web login requires the device to be online to authenticate against the identity provider. If the device is offline, it will fall back to the native macOS login experience.
Q: Can we use Passport without enforcing multi-factor authentication (MFA)?
A: Yes. MFA is supported only in the web login experience and is entirely optional. You can disable it based on your security requirements.
Q: Is smart card authentication (like YubiKey) supported?
A: No. macOS WebKit at the login window doesn’t support USB smart cards for authentication—only basic input functionality like keyboard emulation is possible.
Q: Can Passport be used with other MDMs?
A: No. Passport is tightly integrated with the Kandji agent and requires Kandji as the MDM.
Q: Is passwordless login supported?
A: Not fully. While you can leverage push notifications for verification via Okta or Entra, macOS still requires a local password for certain actions. A truly passwordless experience is not currently possible.
Q: Which identity providers are supported?
A: Passport natively supports Okta, Entra ID, Google Workspace, and OneLogin. Other providers may work if they support Resource Owner Password Credentials (ROPC), but it’s best to consult your Kandji SE for details.
Q: Can we create admin or standard accounts based on IDP group membership?
A: Yes. Account privileges can be configured directly in the Passport provisioning settings—either as standard, admin, or dynamic based on IDP groups.
Q: What if the password in the identity provider changes? Will users be prompted again?
A: Yes. Passport checks every 5 minutes to validate the stored password. If a mismatch is detected, the user is prompted to reauthenticate and sync their local password.
Q: Can Passport and Apple Platform SSO be used together?
A: Technically, yes—but not for password sync. Both systems can coexist for different purposes (e.g., Passport for login, Platform SSO for app auth), but syncing can get messy since they’re unaware of each other.
Q: Does Passport support Touch ID?
A: Touch ID is supported after login, just like with standard local accounts. It cannot be used at the login window.
Q: What’s the best practice for username format—email address or short name?
A: Use the full email address at the Passport login window, especially for IDPs like Google or Entra that don’t support short names.
Q: Does Google Workspace support MFA with Passport?
A: Not currently. Google Secure LDAP (used by Passport) does not support MFA, but this is on Kandji’s roadmap.
Getting Started with Passport
Kandji provides extensive resources to help you implement Passport with your identity provider:
- Kandji Passport knowledge base article
- Configure the Passport Library Item
- Passport and managing passwords
- User experience with Passport
- Passport compatibility with macOS and Kandji features
The Kandji support team is also available to assist with implementation questions and troubleshooting.
Next Steps
Ready to streamline authentication and reduce password-related support tickets? Here's how to get started with Kandji Passport:
- If you're already a Kandji customer, review the Passport documentation in the knowledge base
- Configure your identity provider application for use with Passport
- Create and deploy your Passport library item
- Test with a small group before rolling out to your entire organization
For those new to Kandji, request a demo to see how Passport and other Kandji features can transform your Apple device management experience.
Passport is just one of many ways Kandji helps organizations automate device management while maintaining security and compliance. Stay tuned for our next Demo Day, where we'll explore another powerful feature of the Kandji platform.