Question 1: For PlatformSSO, will Apple's KerberosSSO extension be able to communicate with identity providers other than an on-premise Active Directory domain? If not, is there an equivalent Apple tool which can do this? For context on this question, my shop is using Microsoft's Active Directory and Apple's KerberosSSO extension for managing local account passwords, where the KerberosSSO extension is configured to communicate with our on-premise AD domain. We would like to be able to communicate with Microsoft's Azure AD in place of our on-premise AD domain. The reason I'm interested in using Azure AD is that would help us support our remote users who work from home by allowing this to work via any internet connection in place of the current requirement to connect to our company network using VPN. Answer: PlatformSSO is a way to get tokens from the Identity Provider (in this case, Azure AD) and enable password synchronization, so this should work but not with Apple's KerberosSSO extension. PlatformSSO is going to be relying on the identity provider's SSO Extension (in this case, Microsoft's SSO extension for macOS), so the vendor's SSO extension would need to be updated to support PlatformSSO and the vendor's SSO extension would need to be deployed. This would not work with Apple's existing KerberosSSO extension. Question 2: Can we add the machineIdentifier for a macOS virtual machine created using Apple's Virtualization framework to Apple Business Manager to our company, so that a virtual machine can use Automated Device Management during setup? For context on this question, right now we need hardware for testing ADE on Apple Silicon. We would prefer to switch to using virtual machines if possible because they are much cheaper to use and we don't have to worry about supply chain issues delaying the delivery of virtual test machines. Answer: File feedback on this, but it will be difficult to support this workflow because it's tough to ensure that virtual machines are legitimate. Question 3: macOS Ventura's Migration Assistant will not migrate system, network or printer settings to an MDM-managed Mac. That's awesome and thank you. What if you choose a Time Machine backup or use Target Disk Mode of an MDM-managed Mac as the source while running Migration Assistant to a Mac which is not managed by MDM? Do the same restrictions apply? Essentially, what I'm looking for is for Migration Assistant to check both the source and the destination and if either source or destination is managed by MDM, Migration Assistant will not migrate system, network or printer settings. Is this how it works? Answer: Migration Assistant is looking for the MDM enrollment artifacts, so it's likely looking for a) the operating system to be up and running and b) the OS to be MDM enrolled. That said, test the scenario described above and see if it works like you want it to. If not, file feedback with the requested changes. Question 4: Right now, users are only aware of software update download and prepare operations triggered by MDM if they happen to go to the System Preferences or System Settings page for Software Update. Is it possible to add some sort of UI cues for the end user that an admin has started a software update for them? For context, software installing from the App Store shows a circle in Finder as a progress indicator, and icons in Launch Pad overlay a small progress bar. Answer: Please re-test this on Ventura and file feedback on the changes you would like to see. Question 5: The Platform SSO overview mentioned that a user being disabled in the linked Identity Provider (IdP) does not prevent login. Can you describe what the behavior is for the user in this situation? Also, what is the behavior for a user whose account uses Platform SSO if the user’s account is disabled or removed from the IdP entirely? Answer: Ran out of time, didn't get an answer to this question. Question 6: With regards to the "Requirement for internet access in Setup Assistant" - How does the device retain knowledge of its organization registration after a wipe or a DFU restore? Is this information stored in NVRAM or is it stored elsewhere? Answer: It does not survive a DFU restore, but it does survive a disk wipe. I don't know where this information is stored, but a good place for research should be the Local policy manifest information included in the Apple Platform Security guide.