Combine fleet desktop and SSO ext

[JordanMontgomery]

Related issue: Resolves #46939

This PR is stacked on the work from #47801

Moves the SSO extension under the fleet desktop app. Adds the proper entitlements so it signs and can be distributed. Updates Fleet's AASA handling so the CI-generated SSO extension can establish trust by default

Tested CI build end-to-end on a mac which produced the findigns about codesign/notarization shockingly not flagging the mismatched profile/entitlements and the app failing at runtime.

The entire old apple-sso-extension directory is deleted - it was mostly just a wrapper app for the extension anyways

No changes file as the base branch will have one

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.

• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.

• Timeouts are implemented and retries are limited to avoid infinite loops

• If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes

Testing

• Added/updated automated tests

• Where appropriate, automated tests simulate multiple hosts and test for host isolation (updates to one hosts's records do not affect another)

• QA'd all new/changed functionality manually

Summary by CodeRabbit

• Improvements
  • Enhanced macOS build workflow with improved signing and notarization process for Platform SSO extension to ensure secure integration.
  • Updated bundle identifiers and team configuration for better SSO extension integration and authentication support.
  • Streamlined build process to properly embed and sign Platform SSO components with the host application.

[JordanMontgomery]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[Copilot]

Warning

• Copilot's review of this pull request may be incomplete because some of the changed files are excluded by your Copilot content exclusion settings. See Excluding content from Copilot for details.

Pull request overview

This PR consolidates the macOS Platform SSO (PSSO) extension into the Fleet Desktop macOS app distribution, updates the Fleet server’s AASA output to match the new production bundle/team IDs, and replaces the old standalone POC Xcode project with the new embedded-extension build/signing flow.

Changes:

• Embed FleetPSSOExtension.appex inside apps/fleet-desktop-macos and add Swift sources/entitlements/plist for the extension.
• Update Fleet server PSSO AASA generation to return only authsrv with Fleet Desktop + extension app identifiers under Fleet’s team ID.
• Update the macOS build workflow to sign/notarize the host app + embedded extension with provisioning profiles; remove the deprecated apple-sso-extension/ POC project.

Reviewed changes

Copilot reviewed 15 out of 30 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
ee/server/service/apple_psso.go	Updates PSSO AASA payload and hardcodes Fleet Desktop bundle IDs + Fleet team ID.
apps/fleet-desktop-macos/README.md	Documents the embedded PSSO extension, entitlements, and signing/profile requirements.
apps/fleet-desktop-macos/FleetPSSOExtension/Info.plist	Sets explicit extension bundle metadata (id, executable, min OS, principal class).
apps/fleet-desktop-macos/FleetPSSOExtension/FleetPSSOExtension.entitlements	Switches to Fleet team/app IDs and uses MDM-managed associated domains with empty array.
apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+Shared.swift	Adds shared helpers for registration payload, key IDs, UUID lookup, and login configuration.
apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+PSSO.swift	Implements device registration handler to POST registration directly to Fleet.
apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+Networking.swift	Adds URLSession networking + form-url-encoding + base64url helper.
apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController.swift	Adds the extension principal class + minimal authorization handler conformance.
apps/fleet-desktop-macos/FleetDesktop/FleetDesktop.entitlements	Updates host app entitlements to Fleet team/app IDs and MDM-managed associated domains.
apps/fleet-desktop-macos/fleet-sso-extension-example.mobileconfig	Updates example profile for new bundle/team IDs and adds associated-domains payload.
apps/fleet-desktop-macos/build.sh	Builds the host app plus embedded .appex via swiftc and assembles bundle layout.
.github/workflows/fleet-desktop-macos-build.yml	Updates CI to embed provisioning profiles and sign/notarize app + embedded extension.
apple-sso-extension/README.md	Removes deprecated standalone PSSO POC documentation.
apple-sso-extension/FleetPSSO/Info.plist	Removes deprecated POC host app plist.
apple-sso-extension/FleetPSSO/AppDelegate.swift	Removes deprecated POC host app code.
apple-sso-extension/Fleet PSSO.xcodeproj/project.pbxproj	Removes deprecated POC Xcode project.
apple-sso-extension/build.sh	Removes deprecated POC build/sign/notarize script.
apple-sso-extension/Assets.xcassets/Contents.json	Removes deprecated POC asset catalog metadata.
apple-sso-extension/Assets.xcassets/AppIcon.appiconset/Contents.json	Removes deprecated POC icon set metadata.
docs/Contributing/research/mdm/psso.md	Changed but excluded from review by policy (contents unavailable).

Files excluded by content exclusion policy (1)

• docs/Contributing/research/mdm/psso.md

Comments suppressed due to low confidence (1)

apps/fleet-desktop-macos/fleet-sso-extension-example.mobileconfig:63

• The new com.apple.associated-domains payload is missing standard payload metadata like PayloadVersion (and typically PayloadDisplayName). Without these, the example profile may be rejected or behave inconsistently in MDM tooling.

It would also help readability to indent the nested Configuration dictionary consistently.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Walkthrough

The PR consolidates the Platform SSO (PSSO) extension into the Fleet Desktop macOS app bundle under a single team identifier (8VBZ3948LU) and a unified com.fleetdm.fleet-desktop bundle namespace. The standalone apple-sso-extension Xcode project and its build script are removed. The local build.sh is updated to compile FleetPSSOExtension.appex for arm64 and x86_64 and embed it inside the host app's PlugIns directory. The CI workflow adopts an inside-out codesigning approach with per-bundle provisioning profiles and certificate validation. The server-side AASA document is simplified to authsrv only with two team/bundle-ID entries, and the example mobileconfig is updated to match the new identifiers and adds an associated-domains payload.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	PR description covers the core objectives and includes a partially completed checklist, but lacks critical details about the changes and rationale.	Expand the description to explain: (1) why the apple-sso-extension directory was deleted and how this affects users, (2) the implications of moving the SSO extension under fleet desktop, (3) what entitlements changes enable signing/distribution, and (4) clarify the relationship to PR #47801.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Combine fleet desktop and SSO ext' accurately captures the main structural change in the PR—moving the SSO extension under the fleet desktop app directory and integrating it with the build system.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch JM-46930

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/fleet-desktop-macos/fleet-sso-extension-example.mobileconfig`:
- Around line 45-63: The associated-domains payload dictionary is missing the
required PayloadVersion key, which is mandatory metadata for profile payloads
and will cause validation or configuration failures. Add a PayloadVersion
key-value pair to the dict element that contains PayloadType set to
com.apple.associated-domains. This key should be added at the same level as the
existing PayloadType, PayloadIdentifier, PayloadUUID, and Configuration keys
within that dictionary.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3c588d57-76ef-4594-a7b2-ce39658af6f5

📥 Commits

Reviewing files that changed from the base of the PR and between 91ad6e5 and 3a7a0e5.

⛔ Files ignored due to path filters (13)

• apple-sso-extension/Assets.xcassets/AppIcon.appiconset/icon_128x128.png is excluded by !**/*.png
• apple-sso-extension/Assets.xcassets/AppIcon.appiconset/icon_128x128@2x.png is excluded by !**/*.png
• apple-sso-extension/Assets.xcassets/AppIcon.appiconset/icon_16x16.png is excluded by !**/*.png
• apple-sso-extension/Assets.xcassets/AppIcon.appiconset/icon_16x16@2x.png is excluded by !**/*.png
• apple-sso-extension/Assets.xcassets/AppIcon.appiconset/icon_256x256.png is excluded by !**/*.png
• apple-sso-extension/Assets.xcassets/AppIcon.appiconset/icon_256x256@2x.png is excluded by !**/*.png
• apple-sso-extension/Assets.xcassets/AppIcon.appiconset/icon_32x32.png is excluded by !**/*.png
• apple-sso-extension/Assets.xcassets/AppIcon.appiconset/icon_32x32@2x.png is excluded by !**/*.png
• apple-sso-extension/Assets.xcassets/AppIcon.appiconset/icon_512x512.png is excluded by !**/*.png
• apple-sso-extension/Assets.xcassets/AppIcon.appiconset/icon_512x512@2x.png is excluded by !**/*.png
• apple-sso-extension/README.md is excluded by !**/*.md
• apps/fleet-desktop-macos/README.md is excluded by !**/*.md
• docs/Contributing/research/mdm/psso.md is excluded by !**/*.md

📒 Files selected for processing (17)

• .github/workflows/fleet-desktop-macos-build.yml
• apple-sso-extension/Assets.xcassets/AppIcon.appiconset/Contents.json
• apple-sso-extension/Assets.xcassets/Contents.json
• apple-sso-extension/Fleet PSSO.xcodeproj/project.pbxproj
• apple-sso-extension/FleetPSSO/AppDelegate.swift
• apple-sso-extension/FleetPSSO/Info.plist
• apple-sso-extension/build.sh
• apps/fleet-desktop-macos/FleetDesktop/FleetDesktop.entitlements
• apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+Networking.swift
• apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+PSSO.swift
• apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+Shared.swift
• apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController.swift
• apps/fleet-desktop-macos/FleetPSSOExtension/FleetPSSOExtension.entitlements
• apps/fleet-desktop-macos/FleetPSSOExtension/Info.plist
• apps/fleet-desktop-macos/build.sh
• apps/fleet-desktop-macos/fleet-sso-extension-example.mobileconfig
• ee/server/service/apple_psso.go

💤 Files with no reviewable changes (6)

• apple-sso-extension/Fleet PSSO.xcodeproj/project.pbxproj
• apple-sso-extension/Assets.xcassets/AppIcon.appiconset/Contents.json
• apple-sso-extension/Assets.xcassets/Contents.json
• apple-sso-extension/build.sh
• apple-sso-extension/FleetPSSO/Info.plist
• apple-sso-extension/FleetPSSO/AppDelegate.swift

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}