MicrosoftDocs · MandiOhlinger · May 18, 2026 · May 13, 2026 · May 14, 2026 · May 18, 2026
diff --git a/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md b/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md
@@ -1,7 +1,7 @@
 ---
 title: Configure Platform SSO for macOS devices
 description: Use Microsoft Intune to configure Platform SSO and deploy the configuration to your macOS devices. Platform SSO enables single sign-on (SSO) using Microsoft Entra ID with the Secure Enclave, smart card, or password authentication methods. You create a settings catalog policy to configure the settings. This article is a step-by-step guide to configure Platform SSO for macOS devices using Intune.
-ms.date: 05/11/2026
+ms.date: 05/18/2026
 ms.topic: how-to
 appliesto:
 - :::image type="icon" source="../../media/icons/16/check.svg" border="false"::: macOS
@@ -218,7 +218,7 @@ To configure the Platform SSO policy, use the steps in this section to create an
     | **Platform SSO** > **Use Shared Device Keys** </br>(macOS 14+) | **Enabled** | When enabled, Platform SSO uses the same signing and encryption keys for all users on the same device. </br></br>Users upgrading from macOS 13.x to 14.x are prompted to register again. |
     | **Registration token** | `{{DEVICEREGISTRATION}}` | Copy and paste this value in the setting. You must include the curly braces. <br/><br/>To learn more about this registration token, go to [Configure Microsoft Entra device registration](/entra/identity-platform/apple-sso-plugin#configure-microsoft-entra-device-registration). <br/><br/>This setting requires that you also configure the `AuthenticationMethod` setting.<br/><br/>- If you use only macOS 13 devices, then configure the **Authentication Method (Deprecated)** setting.<br/>- If you use only macOS 14+ devices, then configure the **Platform SSO** > **Authentication Method** setting.<br/>- If you have a mix of macOS 13 and macOS 14+ devices, then configure both authentication settings in the same profile. |
     | **Screen Locked Behavior** | **Do Not Handle** | When set to **Do Not Handle**, the request continues without SSO. |
-    | **Token To User Mapping** > **Account Name** | `preferred_username` | Copy and paste this value in the setting. <br/><br/>This token specifies that the Microsoft Entra [`preferred_username`](/entra/identity-platform/id-token-claims-reference#payload-claims) attribute value is used for the macOS account's Account Name value. |
+    | **Token To User Mapping** > **Account Name** | `com.apple.PlatformSSO.AccountShortName` or `preferred_username` | Copy and paste your value in the setting: <br/><br/>- `com.apple.PlatformSSO.AccountShortName`: Recommended. Uses the Identity Provider's (IDP) User Principal Name (UPN) prefix as the local account name (user’s short name), like `user@contoso.com` for the macOS account's Account Name value. See [Platform SSO: On-demand account creation (Apple docs)](https://support.apple.com/guide/deployment/dep7bbb05313/web). <br/>- `preferred_username`: This token specifies that the Microsoft Entra [`preferred_username`](/entra/identity-platform/id-token-claims-reference#payload-claims) attribute value is used for the macOS account's Account Name value. |
     | **Token To User Mapping** > **Full Name** | `name` | Copy and paste this value in the setting. <br/><br/>This token specifies that the Microsoft Entra [`name`](/entra/identity-platform/id-token-claims-reference#payload-claims) claim is used for the macOS account's Full Name value. |
     | **Team Identifier** | `UBF8T346G9` | Copy and paste this value in the setting. <br/><br/>This identifier is the team identifier of the Enterprise SSO plug-in app extension. |
     | **Type** | Redirect | |