Management attestation FAQ

Why should admins push client certificates to desktop devices with Okta Verify?

If client certificates are pushed through mobile device management (MDM) software and can't be obtained through another channel, client certificates can be used to attest that the device is managed.

How is a client certificate used by Okta?

A client certificate is only used to sign an additional payload that attests for management. It isn't used for authentication or to authenticate the user.

Can I obtain my certificates from a third-party Certificate Authority (CA)?

Yes, but for security reasons, it's important that the CA only issues certificates to managed devices.

For example, if you use a CA that allows self-service enrollment for users, users could obtain and use these certificates on a device that isn't managed and then spoof management attestation. With this, users could access resources without providing the assurance that's required by the authentication policy.

How does the client pick the client certificate?

On every authentication, the server sends a list of admin-configured issuers to the client. The client goes through the list and loads all the client certificates that were issued by those issuers. It prefers the user store, but it also checks the machine store if an issuer doesn't have any corresponding certs in the user store. After checking if the client certificate can be used for signing (private key can be accessed), Okta selects the most recently issued client certificate to attest that the device is managed. The client doesn't do a proper revocation check, so it's recommended to delete revoked certificates from the client.

Can client certificates in the machine store be used for management attestation?

For Windows, client certificates should be in the current user certificate store and not the machine store. If using the local machine certificate store is unavoidable, ensure that no elevation is required for the user to access the private key.

For macOS, select the appropriate level to deploy the client certificate:

  • To ensure all users of the device are managed, select Computer Level.

  • If you want only MDM-managed users of the device to be identified as managed, select User Level.

Ensure the client certificate is available to all applications. See Use your own certificate authority for managed devices and SCEP MDM payload settings for Apple devices.

How does Okta validate the management attestation on the server?

Okta performs these validations:

  • The payload was signed with the client certificate.
  • The client certificate is valid (revocation checks are included).
  • The client certificate was issued by a trusted issuer that the admin uploaded.

Okta doesn't validate the whole chain, and expects the admin to delete an issuer from Okta when they're no longer trusted.

What certificate properties do I need when I create a SCEP profile in my MDM software?

The following settings are required when you create a Simple Certificate Enrollment Protocol (SCEP) profile in your mobile device management (MDM) software:

  • URL: Enter the SCEP URL from the Okta Admin Console.
  • Name: Enter a name for the SCEP profile.
  • Subject: Enter a subject.

    For example: CN = {EmailUserName} managementAttestation {DeviceUid}.

    Okta doesn't require the subject name to be in any particular format. Choose a name that indicates that the certificate is used as the device management signal to Okta. If you're using Jamf Pro, you can also include profile variables to include the device ID (UDID).

    See Jamf Pro Administrator's Guide - Computer Configuration Profiles.

  • Challenge type: Specify if you require a static, dynamic, or delegated URL.
    • URL To SCEP Admin: Enter the Challenge URL from the Okta Admin Console.
    • Username: Enter the UserName from the Okta Admin Console.
    • Password: Enter the Password from the Okta Admin Console.
  • Key Size: 2048.
  • Key usage: Digital signature.
  • Allow export from keychain: Leave cleared. It's good security practice to mark the certificate as non-exportable.
  • Allow all apps access: If the SCEP profile is for macOS devices, select this.

After the SCEP certificate deployment, the message "Organization Intermediate Authority certificate is not trusted" appears.

This is expected behavior. An Organization Intermediate Authority certificate is used to issue client certificates. It can validate the client certificate on the Okta service, so there's no requirement for the OIA certificate itself to be trusted.

How does Okta protect against copying certificates to multiple desktop devices?

Okta creates a binding between the deviceId and the client certificate on the first authentication. After that, if the client certificate is used by a different device for a management attestation, the management attestation will fail.

What happens if I delete a desktop device management configuration?

If you delete a desktop device management configuration, new devices don't request client certificates from the Okta CA service.

In your device management solution, delete any SCEP policies associated with the device management configuration that you deleted.

Devices that already have client certificates issued by Okta keep sending management attestations. In your device management solution, remove the client certificate from the managed devices. If some devices still have client certificates deployed, authentication policies with unmanaged device conditions might prevent users from accessing apps on those devices.

How do I reuse a deployed client certificate if I want to repurpose the device?

If you want to repurpose a device for a new user but the device already has a client certificate installed, complete the following steps:

  1. On the device, remove the Okta Verify account.

    1. In Okta Verify on the device, tap or click the account to access the Account Details.

    2. Tap or click Delete Account, and then tap Delete to confirm the action.

  2. In the Admin Console, go to Directory Devices and locate the device you want to repurpose.

  3. Click the X to deactivate the device. This will suspend the link between the certificate and the device.

  4. In the Admin Console, click Deactivated in the Devices sidebar to locate deactivated devices. Find the device you want to repurpose, and reactivate it.

The new user will do the Add Account flow with Okta Verify. After the first successful Okta FastPass authentication, the device provides management attestation for the new enrollment.