> For the complete documentation index, see [llms.txt](https://docs.intunemacadmins.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.intunemacadmins.com/platform-single-sign-on-psso/insights-psso.md). # Insights * Before setting up PSSO you should think about your approach and communication with the enduser. While your Security Department could expect you to implement the most secure Authentication Method, in this case this is Secure Enclave, your users and the IT Department would expect to use a single password for the local and online (EntraID) accounts. * Secure Enclave only provides this additional security layer by NOT storing the keys and tokens in the Keychain like the Password method does. * Secure Enclave could still be the best user experience because users do not need to technically use a password when they use touch id for the sign-in. This way a missing password sync will not be that important anymore but still be phishing resistant. * Tokens and Keys stored in the Secure Enclave are Hardware Bound (Phishing Resistant). You can not export Tokens or Sync them via iCloud which makes this the most secure way. * Secure Enclave with PSSO and TouchID has a very similar User Experience feeling like Windows Users have with Windows Hello for Business. * The Password Method is storing Keys in the KeyChain which is software based. Users or Attackers could export the tokens and reuse them on a different device. This is why Microsoft and Apple is recommending to use Secure Enclave. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.intunemacadmins.com/platform-single-sign-on-psso/insights-psso.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.