Summary
Once macOS brokered auth has been validated in production, consider changing the default auth mode on macOS from Web to Broker | Web — matching the Windows default behavior.
Context
Raised by @kyle-rader-msft in PR #453 review:
Depending on how this rollout goes, we might want to include broker | web as the default for Mac in the future.
Current state
Broker is opt-in on macOS via --mode broker because apps with broker-required Conditional Access policies (e.g., token protection, error 530084) will hang indefinitely if web auth is attempted as fallback — the browser shows an error page but never redirects back to localhost.
When to revisit
This should be reconsidered once:
- Broker has been validated across a wider set of macOS deployments
- The web-auth-hang issue for broker-required CA policies is better understood or mitigated
- There's confidence that Company Portal adoption is widespread enough that broker-first is a safe default
Summary
Once macOS brokered auth has been validated in production, consider changing the default auth mode on macOS from
WebtoBroker | Web— matching the Windows default behavior.Context
Raised by @kyle-rader-msft in PR #453 review:
Current state
Broker is opt-in on macOS via
--mode brokerbecause apps with broker-required Conditional Access policies (e.g., token protection, error 530084) will hang indefinitely if web auth is attempted as fallback — the browser shows an error page but never redirects back to localhost.When to revisit
This should be reconsidered once: