Endpoint security integrations
You can integrate Okta Verify with your organization’s endpoint detection and response (EDR) solution. When users try to access a protected resource, Okta Verify probes their device for context and trust signals and then uses these signals to determine an access decision. Endpoint security integration extends device posture evaluation by enabling Okta Verify to capture signals collected by your EDR client running on the same device. All signals are then sent to the Okta server and evaluated against the authentication policies that you have configured in the Okta Admin Console.
Okta currently supports integrations with CrowdStrike and Microsoft Windows Security Center. Support for additional endpoint security integration vendors is planned for the future.
How does it work?
Integrating Okta Verify with your Endpoint Detection and Response (EDR) solution allows Okta Verify to serve as a device posture integration layer between the Okta server and EDR vendors that also have services running on end-user devices. When a user tries to access a protected resource, Okta Verify probes their device for context and trust signals and sends the information to the Okta server. The server evaluates the information against your Okta authentication policies to help inform the access decision.
Here's a high-level description of how it works.
- Plugins allow Okta Verify to communicate locally with the EDR client running on the same device:
- Windows: The Windows Security Center plugin is created automatically when Okta Verify is installed on the device. To install the CrowdStrike ZTA plugin, you specify a flag in the installation command.
- macOS: The plugin is enabled when you deploy a managed app configuration from your device management solution to targeted macOS devices.
- The plugin is invoked whenever a user uses Okta Verify as an authenticator to access a resource protected by an authentication policy that requires EDR signal(s).
- Okta Verify captures the signal(s) collected by the plugin and provides these to the Okta server when requested.
- EDR signals are cached in Okta for up to eight hours or until the session times out, whichever occurs first. The cache is updated whenever new signals are processed.
- The Okta server evaluates the signal(s) against the authentication policy and either allows or denies access to the resource.
- If access is denied for any reason:
- The You do not have permission to perform the requested action message appears.
- A system log message is generated that confirms that the authentication policy evaluation resulted in denied access. Admins can evaluate the context of the system log message together with information from the EDR dashboard to determine why access was denied.