STEP 3: Configure Device Trust and Access Policies in VMware for desktop devices

Prerequisites:

STEP 1: Configure VMware Identity Manager as an Identity Provider in Okta

STEP 2: Configure Okta application source in VMware Identity Manager

 

To configure access policies for desktop devices, you configure identity provider routing rules in Okta and conditional access policies in VMware Identity Manager. The Okta Device Trust solution is not yet available for desktop devices. To configure device trust for desktop devices, you can use Device Compliance as the second-factor authentication method in VMware Identity Manager access policies.

 

 


Configure Identity Provider Routing Rules in Okta for Desktop Devices

Click the image to enlarge


  1. In the Okta Admin console, go to Security > Identity Providers.
  2. Click the Routing Rules tab and then click Add Routing Rule.
  3. Configure settings as follows:

Setting Action
Rule Name Enter a name for the rule you are creating.
IF User's IP is If appropriate for your implementation, you can specify network zones to which the routing does or does not apply. To specify a zone here, at least one network zone must be defined already in Okta. For more information, see Network Security.
AND User's device platform is

Select Any of these devices and then select macOS or Windows, or both, depending on your implementation.

AND User is accessing

Select Any of the following applications and then enter the application(s) to which you want the routing rule to apply.

AND User matches

Select the appropriate action:

  • Anything. Specifies any user. This is the default.
  • Regex on login. Allows you to enter any valid regular expression based on the user login to use for matching. This is useful when specifying the domain, or if a user attribute is not sufficient for matching. For details, see Identity Provider Routing Rules.
  • Domain list on login. Specify a list of the domains to match; for example, example.com. Do not add the @ symbol to the domain name. You can add multiple domains. Note that it is not necessary to escape any characters.
  • User attribute. Select an attribute name in the left list, a type of comparison in the Starts with list, and then enter a value that you want to match in text field on the right.
THEN Use this identity provider Select the Identity Provider you created in Okta for VMware Identity Manager as detailed in STEP 1: Configure VMware Identity Manager as an Identity Provider in Okta.

  1. Click Create Rule.

Configure Conditional Access Policies in VMware Identity Manager for Desktop Devices

To provide SSO and device trust for desktop devices, additional access policy rules are required in VMware Identity Manager.

Create the access policy for macOS and Windows 10 with Certificate (Cloud Deployment) and Device Compliance as the authentication methods.

  1. Log in to the VMware Identity Manager console as System administrator.
  2. Click the Identity & Access Management tab.
  3. Click the Policies tab.
  4. Click Add Policy.
  5. In the Definition page of the wizard, enter the following information.

Option Description
Policy Name A name for the policy.
Description A description for the policy.
Applies to Select Okta. This assigns the access policy set to the Okta Application Source. All authentication requests from Okta are evaluated with this policy rule set.

  1. Click Next.
  2. In the Configuration page, click Add Policy Rule and configure the policy rule for Windows 10.
    1. Set Certificate (Cloud Deployment) as the first authentication method and Device Compliance (with AirWatch) as the fallback authentication method. 
    2. If a user's network range is: ALL RANGES

      and the user is accessing content from: Windows 10

      Then perform this action: Authenticate using

      then the user may authenticate using: Certificate (Cloud Deployment)

      If the preceding method fails or is not applicable, then: Device Compliance (with AirWatch)

    3. Click Save.
  3. Click Add Policy Rule and configure the policy rule for macOS.
    1. Set Certificate (Cloud Deployment) as the first authentication method and Device Compliance (with AirWatch) as the fallback authentication method. 
    2. If a user's network range is: ALL RANGES

      and the user is accessing content from: macOS

      Then perform this action: Authenticate using

      then the user may authenticate using: Certificate (Cloud Deployment)

      If the preceding method fails or is not applicable, then: Device Compliance (with AirWatch)

    3. Click Save.
  4. If you have also configured the mobile version of this integration, you must recreate mobile policies:
  5. This is necessary because the policy rules you created in the previous steps of this procedure override the default access policy you configured in VMware Identity Manager for mobile devices. Therefore, you must add policy rules for iOS, Android, and Web browser to this new policy similar to the rules that you added to the default access policy when you configured this solution for mobile devices.

    1. Create a policy rule for iOS devices with Mobile SSO (iOS) as the first authentication method and Okta authentication as the fallback authentication method.

      If a user's network range is: ALL RANGES

      and the user is accessing content from: iOS

      Then perform this action: Authenticate using

      then the user may authenticate using: Mobile SSO (iOS)

      If the preceding method fails or is not applicable, then: Okta Auth

    2. Create a policy rule for Android devices with Mobile SSO (iOS) as the first authentication method and Okta authentication as the fallback authentication method.

      If a user's network range is: ALL RANGES

      and the user is accessing content from: Android

      Then perform this action: Authenticate using

      then the user may authenticate using: Mobile SSO (Android)

      If the preceding method fails or is not applicable, then: Okta Auth

    3. Create a policy rule for Web browsers with Okta as the authentication method.

      If a user's network range is: ALL RANGES

      and the user is accessing content from: Web Browser

      Then perform this action: Authenticate using

      then the user may authenticate using: Okta Auth

  6. Arrange the policy rules in the following order, listed from top to bottom:
    1. Workspace ONE App or Hub App
    2. Windows 10 or Mac OS
    3. Windows 10 or Mac OS
    4. iOS or Android
    5. iOS or Android
    6. Web browser