This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features .




STEP 3: Configure Device Trust and Access Policies in VMware for desktop devices

Prerequisites:

STEP 1: Configure VMware Identity Manager as an Identity Provider in Okta

STEP 2: Configure Okta application source in VMware Identity Manager

 

To configure access policies for desktop devices, you configure identity provider routing rules in Okta and conditional access policies in VMware Identity Manager. The Okta Device Trust solution is not yet available for desktop devices. To configure device trust for desktop devices, you can use Device Compliance as the second-factor authentication method in VMware Identity Manager access policies.

 

 


Configure Identity Provider Routing Rules in Okta for Desktop Devices

Click the image to enlarge


  1. In the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console, go to Security > Identity Providers.
  2. Click the Routing Rules tab and then click Add Routing Rule.
  3. Configure settings as follows:

Setting Action
Rule Name Enter a name for the rule you are creating.
IF User's IP is If appropriate for your implementation, you can specify network zones to which the routing does or does not apply. To specify a zone here, at least one network zone must be defined already in Okta. For more information, see Network Security.
AND User's device platform is

Select Any of these devices and then select macOS or Windows, or both, depending on your implementation.

AND User is accessing

Select Any of the following applications and then enter the application(s) to which you want the routing rule to apply.

AND User matches

Select the appropriate action:

THEN Use this identity provider Select the Identity Provider you created in Okta for VMware Identity Manager as detailed in STEP 1: Configure VMware Identity Manager as an Identity Provider in Okta.

  1. Click Create Rule.

Configure Conditional Access Policies in VMware Identity Manager for Desktop Devices

To provide SSO and device trust for desktop devices, additional access policy rules are required in VMware Identity Manager.

Create the access policy for macOS and Windows 10 with Certificate (Cloud Deployment) and Device Compliance as the authentication methods.

  1. Log in to the VMware Identity Manager console as System administrator.
  2. Click the Identity & Access Management tab.
  3. Click the Policies tab.
  4. Click Add Policy.
  5. In the Definition page of the wizard, enter the following information.

Option Description
Policy Name A name for the policy.
Description A description for the policy.
Applies to Select Okta. This assigns the access policy set to the Okta Application Source. All authentication requests from Okta are evaluated with this policy rule set.

  1. Click Next.
  2. In the Configuration page, click Add Policy Rule and configure the policy rule for Windows 10.
    1. Set Certificate (Cloud Deployment) as the first authentication method and Device Compliance (with AirWatch) as the fallback authentication method. 
    2. If a user's network range is: ALL RANGES

      and the user is accessing content from: Windows 10

      Then perform this action: Authenticate using

      then the user may authenticate using: Certificate (Cloud Deployment)

      If the preceding method fails or is not applicable, then: Device Compliance (with AirWatch)

    3. Click Save.
  3. Click Add Policy Rule and configure the policy rule for macOS.
    1. Set Certificate (Cloud Deployment) as the first authentication method and Device Compliance (with AirWatch) as the fallback authentication method. 
    2. If a user's network range is: ALL RANGES

      and the user is accessing content from: macOS

      Then perform this action: Authenticate using

      then the user may authenticate using: Certificate (Cloud Deployment)

      If the preceding method fails or is not applicable, then: Device Compliance (with AirWatch)

    3. Click Save.
  4. If you have also configured the mobile version of this integration, you must recreate mobile policies:
  5. This is necessary because the policy rules you created in the previous steps of this procedure override the default access policy you configured in VMware Identity Manager for mobile devices. Therefore, you must add policy rules for iOS, Android, and Web browser to this new policy similar to the rules that you added to the default access policy when you configured this solution for mobile devices.

    1. Create a policy rule for iOS devices with Mobile SSO (iOS) as the first authentication method and Okta authentication as the fallback authentication method.

      If a user's network range is: ALL RANGES

      and the user is accessing content from: iOS

      Then perform this action: Authenticate using

      then the user may authenticate using: Mobile SSO (iOS)

      If the preceding method fails or is not applicable, then: Okta Auth

    2. Create a policy rule for Android devices with Mobile SSO (iOS) as the first authentication method and Okta authentication as the fallback authentication method.

      If a user's network range is: ALL RANGES

      and the user is accessing content from: Android

      Then perform this action: Authenticate using

      then the user may authenticate using: Mobile SSO (Android)

      If the preceding method fails or is not applicable, then: Okta Auth

    3. Create a policy rule for Web browsers with Okta as the authentication method.

      If a user's network range is: ALL RANGES

      and the user is accessing content from: Web Browser

      Then perform this action: Authenticate using

      then the user may authenticate using: Okta Auth

  6. Arrange the policy rules in the following order, listed from top to bottom:
    1. Workspace ONE AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. or Hub App
    2. Windows 10 or Mac OS
    3. Windows 10 or Mac OS
    4. iOS or Android
    5. iOS or Android
    6. Web browser
Top