Provide your own certificate authority for managed devices

When evaluating an authentication policy that requires desktop devices to be managed, Okta determines the management status of your targeted desktop devices by verifying whether a client certificate is installed on the device. Okta attests certificate installation by creating a digital signature with the certificate and validating it on the server. Configuring your own certificate authority (CA) allows you to issue client certificates to devices to support this operation.

To provide your own certificate authority (CA), your environment requires a PKI infrastructure that is integrated with your MDM software to distribute client certificates to targeted devices.

In addition to distributing certificates, your MDM software renews certificates before they expire and revokes certificates from your MDM server and managed devices when devices are no longer managed.

Summary

  • Manage devices. You can either:
    • Use your existing MDM software: Okta tested this feature with Microsoft Intune (for Windows) and Jamf Pro (for macOS) but other solutions should work.
    • Use your existing Active Directory Certificate Services (ADCS) infrastructure: Customers with an existing ADCS implementation can leverage that infrastructure with Okta Verify to enable managed devices in Okta. Okta requires the user on the device to have a certificate from the certificate authority that is set up in Okta.

    Okta tested this configuration using Microsoft Active Directory Certificate Services (AD CS) and Network Device Enrollment Service (NDES) integrated with Microsoft Intune

  • Deploy client certificates to managed devices: To prove that devices are managed by your organization, configure your MDM software to deploy certificates that are signed by your organization's certificate authority to your registered Windows and macOS devices. Deploy certificates for digital signature but not for other purposes, such as encryption. See Device registration.
  • Upload CA certificates to Okta: From the Okta Admin Console, upload the Intermediate CA(s) that your MDM software will use to issue the Client Certificate. During the SSO flow, Okta Verify presents the signed token to Okta to indicate proof of possession of the client certificate. Okta then uses the trusted CA certificate to validate that the device belongs to your organization.

Start this procedure

To complete this procedure, perform these tasks:

Task 1: Configure the SCEP payload

Make sure SCEP profiles are targeted at the USER level, not the DEVICE level. This ensures that the certificate is deployed to the login keychain and accessible to Okta Verify. Your SCEP policy requires a user context. Multiple users using the same device is supported but only if each user is from a separate org. The enrolled user must be managed by your MDM software and possess a certificate.

Configure the SCEP payload as follows:

Key

Type

Value

KeyUsage Integer Set to signing so Okta Verify can sign the nonce sent from the Okta server.
AllowAllAppAccess Boolean Set to true so Okta Verify can sign requests without prompting users to sign in. Otherwise users are prompted to allow Okta Verify to access the key.
KeysExtractable Boolean Set to false so that it cannot be copied to another device easily.

Task 2: In Okta, configure management attestation and upload your certificate

  1. In the Okta Admin Console, go to Security > Device integrations.
  2. Click the Endpoint management tab.
  3. Click Add platform.
  4. Select Desktop (Windows and macOS only).
  5. Click Next.
  6. Select Use my own certificate authority for the Certificate authority.
  7. Click Save.
  8. Click the Certificate authority tab.
  9. Click Add certificate authority.
  10. In the Add certificate authority dialog box, browse to the Intermediate CA that will be used to issue the Client Certificate. If you have multiple such issuers, upload all of them one at a time.

    Okta doesn’t support PKCS#7, PKCS#12, or PFX certificate formats.

    Certificates are uploaded automatically. A message appears if uploads are successful. To view details, click View root certificate chain details.

  11. Click Close.

Next steps

Add an authentication policy rule for desktop