os_unlock_active_user_session_disable negatively impacts Platform SSO Accounts #17

New Issue

Open

opened 2026-01-19 18:28:56 +00:00 by michael · 2 comments

michael commented 2026-01-19 18:28:56 +00:00

Owner

Copy Link

Originally created by @tonyyo11 on GitHub.

Summary

Implementing os_unlock_active_user_session_disable from the Tahoe branch which it applies a configuration profile on the com.apple.loginwindow domain and key of screenUnlockMode:1 while also having an account that is registered with Platform Single Sign On results in regular failed unlock attempts when waking the system from sleep.
(Additional Context: Using Platform Single Sign On with Entra ID and Smart Card Authentication).

Steps to reproduce

Enforce the configuration profile to set screenUnlockMode:1 on `com.apple.loginwindow. Have an account registered for Platform Single Sign On with Smart Card Authentication. Use the system, then lock the user session. Wait approximately 10-30minutes, and attempt to unlock the system. Upon providing a correct PIN, the system shows a spinning pinwheel that does not go away and does not ultimately unlock the session. The only workaround is to shut down and restart the system forcefully. The issue occurs on average once every 8 hours.
Additional Clarity: I am unsure whether this issue also impacts PSSO with Password Sync

Operating System version

macOS Tahoe 26.x (Public Release and Beta)

Intel or Apple Silicon

Have only tested against Apple Silicon

What is the current bug behavior?

Randomly attempting to unlock a current user session will not work. PIN is correct, but the unlock process hangs.

What is the expected correct behavior?

Successful unlock after entering the proper PIN from the smart card without issue or delay.

Possible fixes

screenUnlockMode being set to 0 resolves the problem, but goes against the baseline rule as presently written.

Originally created by @tonyyo11 on GitHub. ### Summary Implementing `os_unlock_active_user_session_disable` from the Tahoe branch which it applies a configuration profile on the `com.apple.loginwindow` domain and key of `screenUnlockMode:1` while also having an account that is registered with Platform Single Sign On results in regular failed *unlock* attempts when waking the system from sleep. _(Additional Context: Using Platform Single Sign On with Entra ID and Smart Card Authentication)._ ### Steps to reproduce Enforce the configuration profile to set `screenUnlockMode:1` on `com.apple.loginwindow. Have an account registered for Platform Single Sign On with Smart Card Authentication. Use the system, then lock the user session. Wait approximately 10-30minutes, and attempt to unlock the system. Upon providing a correct PIN, the system shows a spinning pinwheel that does not go away and does not ultimately unlock the session. The only workaround is to shut down and restart the system forcefully. The issue occurs on average once every 8 hours. _Additional Clarity: I am unsure whether this issue also impacts PSSO with Password Sync_ ### Operating System version macOS Tahoe 26.x (Public Release and Beta) ### Intel or Apple Silicon Have only tested against Apple Silicon ### What is the current *bug* behavior? Randomly attempting to unlock a current user session will not work. PIN is correct, but the unlock process hangs. ### What is the expected *correct* behavior? Successful unlock after entering the proper PIN from the smart card without issue or delay. ### Possible fixes `screenUnlockMode` being set to `0` resolves the problem, but goes against the baseline rule as presently written.

michael commented 2026-01-19 18:28:57 +00:00

Author

Owner

Copy Link

@tonyyo11 commented on GitHub:

OK! Will test and report to you the results.

@tonyyo11 commented on GitHub: OK! Will test and report to you the results.

michael commented 2026-01-19 18:28:57 +00:00

Author

Owner

Copy Link

@robertgendler commented on GitHub:

This may be fixed in Beta 3 of 26.2.

@robertgendler commented on GitHub: This may be fixed in Beta 3 of 26.2.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev_2.0_generate_mapping

dev_2.0

sequoia

sonoma

nist-pages

nist-pages-docs

ios_18

ios_26

ios_26_cmmc

dev_2.0_compliance_script

tahoe

visionos_26

dev_ios_26_stig

dev_visionOS_26_stig

dev_tahoe_adjustments

ios_17

dev_sequoia_bio

tahoe_578-typo-in-os_sshd_fips_compliantyaml-fix-code

ventura

ios_16

visionos_2

505-create-python-scp-library

monterey

big_sur

catalina

tahoe_rev2

sequoia_rev4

visionos26_rev2

ios26_rev2

tahoe_rev1

visionos26_rev1

ios26_rev1

sonoma_rev5

sequoia_rev3

ios18_rev3

ios17_rev4

ventura_rev6

sonoma_rev4

sequoia_rev2

visionos_rev2

ios18_rev2.0

ios16_rev4

sequoia_rev1.1

ventura_rev5.1

ios18_rev1.1

sonoma_rev3.1

sequoia_rev1

visionos_rev1

ios18_rev1

ios17_rev3

ios16_rev3

ventura_rev5

sonoma_rev3

ventura_rev4

sonoma_rev2

ios17_rev2

ios16_rev2

monterey_rev6

sonoma_rev1

ventura_rev3

monterey_rev5

ios16_rev1

ios17_rev1

big_sur_rev7

monterey_rev4

ventura_rev2

ventura_rev1.1

monterey_rev3.1

big_sur_rev6.1

ventura_rev1

monterey_rev3

big_sur_rev6

monterey_rev2

catalina_rev6

big_sur_rev5

monterey_rev1

big_sur_rev4

catalina_rev5

big_sur_rev3

catalina_rev4

big_sur_rev2

catalina_rev3

big_sur_rev1

catalina_rev2

catalina_rev1

v0.9

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

michael

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#17