The payload that configures an app extension that performs single sign-on with the Kerberos extension.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
ExtensionIdentifier ExtensionIdentifier Set this to `com.apple.AppSSOKerberos.KerberosExtension` for this extension. | string | required | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
TeamIdentifier TeamIdentifier Set this to `apple` for this extension. | string | required | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
Type Type Set this to `Credential` for this extension. | string | required | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
Realm Realm The Kerberos realm. Use proper capitalization for this value. If in an Active Directory forest, this is the realm where the user logs in. | string | required | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
ExtensionData ExtensionData This is the dictionary used by the Apple built-in Kerberos extension. 38 subkeys | dictionary | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ cacheName cacheName Deprecated (iOS 15.0, macOS 12.0) The GSS name of the Kerberos cache to use. Rarely set by an administrator. | string | optional | — | ✓Yes | iOS (legacy - 15.0)macOS (legacy - 12.0) |
└─ principalName principalName The principal (username) to use. You don't need to include the realm. | string | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ siteCode siteCode The name of the Active Directory site the Kerberos extension should use. Most administrators don't need to modify this value, as the Kerberos extension can normally find the site automatically. | string | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ certificateUUID certificateUUID The PayloadUUID of a PKINIT certificate. | string | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ useSiteAutoDiscovery useSiteAutoDiscovery If `false`, the Kerberos extension doesn't automatically use LDAP and DNS to determine its AD site name. | boolean | optional | true | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ credentialBundleIdACL credentialBundleIdACL A list of bundle IDs allowed to access the ticket-granting ticket (TGT). 1 subkey | array | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ └─ credentialBundleIdACLItem credentialBundleIdACLItem Bundle IDs allowed to access the TGT. These values are case sensitive. | string | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ includeManagedAppsInBundleIdACL includeManagedAppsInBundleIdACL If `true`, the Kerberos extension allows only managed apps to access and use the credential. This is in addition to the `credentialBundleIDACL`, if you specify that value. Available in iOS 14 and later, and macOS 12 and later. | boolean | optional | false | ✓Yes | iOS (14.0+)macOS (12.0+) |
└─ includeKerberosAppsInBundleIdACL includeKerberosAppsInBundleIdACL If `true`, the Kerberos extension allows the standard Kerberos utilities including `TicketViewer` and `klist` to access and use the credential. This is in addition to `includeManagedAppsInBundleIdACL` or the `credentialBundleIdACL`, if you specify those values. Available in macOS 12 and later. | boolean | optional | false | ✓Yes | macOS (12.0+) |
└─ domainRealmMapping domainRealmMapping A custom domain-realm mapping for Kerberos. The system uses this when the DNS name of hosts doesn't match the realm name. Most administrators don't need to customize this. 1 subkey | dictionary | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ └─ Realm Realm The key should be the name of the realm, and the value is an array of DNS suffixes that map to the realm. 1 subkey | array | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ └─ └─ RealmItem RealmItem Domains to map to the realm | string | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ isDefaultRealm isDefaultRealm Specifies whether this is the default realm if there's more than one Kerberos extension configuration. | boolean | optional | false | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ customUsernameLabel customUsernameLabel The custom user name label used in the Kerberos extension instead of "Username," such as "Company ID". Available in macOS 11 and later. | string | optional | — | ✓Yes | iOS (14.0+)macOS (11.0+) |
└─ helpText helpText The text to display to the user at the bottom of the Kerberos Login Window. You can also use this to display help information or disclaimer text. Available in iOS 14 and later, and macOS 11 and later. | string | optional | — | ✓Yes | iOS (14.0+)macOS (11.0+) |
└─ allowPasswordChange allowPasswordChange If `false`, the system disables password changes. Available in macOS 10.15 and later. | boolean | optional | true | ✗No | |
└─ allowAutomaticLogin allowAutomaticLogin If `false`, the system doesn't allow saving passwords in the keychain. | boolean | optional | true | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ requireUserPresence requireUserPresence If `true`, the system requires the user to provide Touch ID, Face ID or their passcode to access the keychain entry. | boolean | optional | false | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ pwExpireOverride pwExpireOverride Deprecated (macOS 12.0) The number of days that the system allows using passwords on this domain. For most domains, this calculation is automatic. Available in macOS 10.15 and later. | integer | optional | — | ✓Yes | macOS (legacy - 12.0) |
└─ pwNotificationDays pwNotificationDays The number of days prior to password expiration when the system sends a notification of password expiration to the user. Available in macOS 10.15 and later. | integer | optional | 15 | ✗No | |
└─ pwReqLength pwReqLength The minimum length of passwords on the domain.Available in macOS 10.15 and later. | integer | optional | — | ✗No | |
└─ pwReqComplexity pwReqComplexity If `true`, the system requires passwords to meet Active Directory's definition of "complex". Available in macOS 10.15 and later. | boolean | optional | false | ✗No | |
└─ pwReqMinAge pwReqMinAge The minimum age of passwords before the system allows changing them on this domain. Available in macOS 10.15 and later. | integer | optional | — | ✗No | |
└─ pwReqHistory pwReqHistory The number of prior passwords that the system disallows reuse on this domain. Available in macOS 10.15 and later. | integer | optional | — | ✗No | |
└─ pwReqText pwReqText The text version of the domain's password requirements. Only for use if `pwReqComplexity` or `pwReqLength` aren't specified. Available in macOS 10.15 and later. | string | optional | — | ✗No | |
└─ pwReqRTFData pwReqRTFData The RTF file formatted version of the domain's password requirements. Only for use if `pwReqComplexity` or `pwReqLength` aren't specified. Available in macOS 15 and later. | data | optional | — | ✓Yes | macOS (15.0+) |
└─ pwChangeURL pwChangeURL This URL will launch in the user's default web browser when they initiate a password change. Available in macOS 10.15 and later. | string | optional | — | ✗No | |
└─ syncLocalPassword syncLocalPassword If `false`, the system disables password sync. Note that this will not work if the user is logged in with a mobile account. Available in macOS 10.15 and later. | boolean | optional | false | ✗No | |
└─ replicationTime replicationTime Deprecated (macOS 12.0) The time, in seconds, required to replicate changes in the Active Directory domain. The Kerberos extension uses this when checking password age after a change. Available in macOS 11 and later. | integer | optional | 900 | ✓Yes | macOS (11.0 - 12.0) |
└─ delayUserSetup delayUserSetup If `true`, the system doesn't prompt the user to setup the Kerberos extension until either the administrator enables it with the `app-sso` tool or the system receives a Kerberos challenge. Available in macOS 11 and later. | boolean | optional | false | ✓Yes | macOS (11.0+) |
└─ monitorCredentialsCache monitorCredentialsCache If `false`, the system requests the credential on the next matching Kerberos challenge or network state change. If the credential is expired or missing, the system creates a new one. Available in macOS 11 and later. | boolean | optional | true | ✓Yes | macOS (11.0+) |
└─ requireTLSForLDAP requireTLSForLDAP Require that LDAP connections use TLS. Available in macOS 11 and later. | boolean | optional | false | ✓Yes | iOS (14.0+)macOS (11.0+) |
└─ credentialUseMode credentialUseMode This setting affects how other processes use the Kerberos Extension credential. Allowed values:
- `always`: The system always uses the credential if the SPN matches the Kerberos Extension `Hosts` array and the caller hasn't specified another credential. However, the system won't use the credential if the calling app isn't in the `credentialBundleIDACL`.
- `whenNotSpecified`: The system only uses the extension credential if the SPN matches the Kerberos Extension `Hosts` array. However, the system won't use the credential if the calling app isn't in the `credentialBundleIDACL`.
- `kerberosDefault`: The system uses the default Kerberos processes to select credentials, and normally uses the default Kerberos credential. This is the same as turning off this capability.
Available in macOS 11 and later. | string | optional | always | ✓Yes | iOS (14.0+)macOS (11.0+) |
└─ preferredKDCs preferredKDCs The ordered list of preferred Key Distribution Centers (KDCs) to use for Kerberos traffic. Use this if the servers aren't discoverable through DNS. If the servers are specified, then the system uses them for both connectivity checks and attempts to use them first for Kerberos traffic. If the servers don't respond, the device falls back to DNS discovery. Format each entry the same as it would be in a `krb5.conf` file, for example:
- `adserver1.example.com`
- `tcp/adserver1.example.com:88`
- `kkdcp://kerberosproxy.example.com:443/kkdcp` 1 subkey | array | optional | — | ✓Yes | iOS (15.0+)macOS (12.0+) |
└─ └─ preferredKDC preferredKDC A host or domain name in the format of [protocol/]hostname[:port][/path] | string | required | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ usePlatformSSOTGT usePlatformSSOTGT If `true`, the system requires this configuration uses a TGT from Platform SSO instead of requesting a new one. Available in macOS 13 and later. | boolean | optional | false | ✓Yes | macOS (13.0+) |
└─ allowPlatformSSOAuthFallback allowPlatformSSOAuthFallback If `true` and `usePlatformSSOTGT` is `true`, the system allows the user to manually sign in. Available in macOS 13 and later. | boolean | optional | true | ✓Yes | macOS (13.0+) |
└─ performKerberosOnly performKerberosOnly If `true`, the Kerberos Extension handles Kerberos requests only. It doesn't check for password expiration, show the password expiration in the menu, check for external password changes, perform password sync, or retrieve the home directory. Available in macOS 13 and later. | boolean | optional | false | ✓Yes | iOS (16.0+)macOS (13.0+) |
└─ identityIssuerAutoSelectFilter identityIssuerAutoSelectFilter A string with wildcards that can use used to filter the list of available SmartCards by issuer. e.g "\*My CA2\*". If there is one remaining, it will be auto-selected. If there more than one remaining, then the list is shorter. Available in macOS 15 and later. | string | optional | — | ✓Yes | macOS (15.0+) |
└─ allowSmartCard allowSmartCard If `true`, allow the user to switch the user interface to SmartCard mode. Available in macOS 15 and later. | boolean | optional | true | ✓Yes | macOS (15.0+) |
└─ allowPassword allowPassword If `true`, allow the user to switch the user interface to Password mode. Available in macOS 15 and later. | boolean | optional | true | ✓Yes | macOS (15.0+) |
└─ startInSmartCardMode startInSmartCardMode If `true`, the user interface will start in SmartCard mode. Available in macOS 15 and later. | boolean | optional | false | ✓Yes | macOS (15.0+) |
Hosts Hosts One or more host or domain names for which the app extension performs SSO.
The system:
- Matches host or domain names case-insensitively
- Requires that all the host and domain names of all installed Extensible SSO payloads are unique
> Note:
> Host names that begin with a "." are wildcard suffixes that match all subdomains; otherwise the host name needs be an exact match. 1 subkey | array | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ hostname hostname A host or domain name. Values that begin with a "." will be used as domain names. | string | required | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
