Management attestation FAQs

  • Why should admins push client certificates to desktop devices with Okta Verify?

  • If client certificates are pushed through mobile device management (MDM) software and cannot be obtained through another channel, client certificates can be used to attest that the device is managed.

  • How is a client certificate used by Okta?

  • A client certificate is only used to sign an additional payload that attests for management. It is not used for authentication or to authenticate the user.

  • Can I obtain my certificates from a third-party certificate authority (CA)?

  • Yes, but for security reasons, it's important that the CA only issues certificates to managed devices.

    For example, if you use a CA that allows self-service enrollment for users, users could obtain and use these certificates on a device that is not managed and then spoof management attestation. With this, users could access resources without providing the assurance that is required by the authentication policy.

  • How does the client pick the client certificate?

  • On every authentication, the server sends a list of admin-configured issuers to the client. The client goes through the list and loads all the client certificates that were issued by those issuers. It prefers the user store, but it also checks the machine store if an issuer does not have any corresponding certs in the user store. After checking if the client certificate can be used for signing (private key can be accessed), the first found client certificate is used for macOS devices or the most recently issued client certificate that is valid is used for Windows devices. The client does not do a proper revocation check, so it is recommended to delete revoked certificates from the client.

  • Can client certificates in the machine store be used for management attestation?

  • It is recommended to use the user store, but the machine store can be used. If the machine store it used, admins need to make sure that no elevation is required for the user to access the private key.

  • How does Okta validate the management attestation on the server?

  • Okta validates that the:

    • Payload was signed with the client certificate
    • Client certificate is valid (including revocation checks)
    • Client certificate was issued by a trusted issuer that the admin uploaded

    Okta does not validate the whole chain, and expects the admin to delete an issuer from Okta when they are no longer trusted.

  • What certificate properties do I need when I create a SCEP profile in my MDM software?

  • The following settings are required when you create a Simple Certificate Enrollment Protocol (SCEP) profile in your mobile device management (MDM) software:

    • URL: Enter the SCEP URL from the Okta Admin Console.
    • Name: Enter a name for the SCEP profile.
    • Subject: Enter a subject.
    • For example: CN = {EmailUserName} managementAttestation {DeviceUid}.

      Okta does not require the subject name to be in any particular format. Choose a name that indicates that the certificate is used as the device management signal to Okta. If you are using Jamf Pro, you can also include profile variables to include the device ID (UDID).

      See Jamf Pro Administrator's Guide - Computer Configuration Profiles.

    • Challenge type: Specify if you require a static, dynamic, or delegated URL.
      • URL To SCEP Admin: Enter the Challenge URL from the Okta Admin Console.
      • Username: Enter the UserName from the Okta Admin Console.
      • Password: Enter the Password from the Okta Admin Console.
    • Key Size: 2048.
    • Key usage: Digital signature.
    • Allow export from keychain: Leave unselected. It is good security practice to mark the certificate as non-exportable.
    • Allow all apps access: If the SCEP profile is for macOS devices, select this.
  • How does Okta protect against copying certificates to multiple desktop devices?

  • Okta creates a binding between the deviceId and the client certificate on the first authentication. After that, if the client certificate is used by a different device for a management attestation, the management attestation will fail.

Related topics