Manage endpoint security integration plugins for macOS
Endpoint security integration plugins extend the functionality of the Okta endpoint security integration feature.
To enable plugins on macOS devices, you need to configure and deploy a managed app configuration using your device management solution. The configuration enables you Okta Verify to collect trust signals from your EDR client running on the same device.
Currently, Okta EDR integration for macOS only supports CrowdStrike ZTA. Support for other EDR solutions is planned for the future.
- Prerequisites
- Managed app configuration
- Start this procedure
- Verify managed app configuration deployment
- Disable the EDR integration plugin
- Next steps
Prerequisites
Verify that the following settings are in place:
- EDR integration is enabled for your org
- macOS devices are:
- Registered with Okta
- Managed by a device management solution that supports managed app configuration
- Running on a supported platform. See Supported platforms, browsers, and operating systems.
- Have the latest version of Okta Verify installed. See Supported platforms for Okta Verify.
- Running CrowdStrike Falcon Agent 6.20 or later
- You're familiar with these Jamf Pro documents:
Managed app configuration
The managed app configuration contains information that Okta Verify uses to create the EDR integration plugin. Entries in the configuration correspond to the EDR vendors that you integrate with Okta. When users try to access a protected resource, Okta Verify reads the entry to collect signals from the EDR. For example, the entry for CrowdStrike looks like this:
{
"OktaVerify.Plugins" = ["com.crowdstrike.zta"],
{
"name": "com.crowdstrike.zta",
"description": "File based EDR integration between Okta Verify and the Crowdstrike Falcon agent.",
"location": "/Library/Application Support/Crowdstrike/ZeroTrustAssessment/data.zta",
"type": "FILE",
"format": "JWT"
}
Currently, as shown in the example entry, this EDR integration supports only "type": "FILE" and Crowdstrike.
Jamf Pro-specific example
This example shows how to deploy a managed app configuration using Jamf Pro, but any device management solution that supports deploying a managed app configuration to Apple devices should work with the Okta key name and value.
In this example, you upload the managed app configurations and two distinct Preference Domains (bundle IDs) to Jamf Pro. The configuration must have the following properties:
- Identical entries but different names that correspond to their distinct Preference Domain (bundleID) in Jamf Pro.
- The configuration must include an entry with an array of all the integration names attached to:
- Key:OktaVerify.Plugins
- All other entries in the PLIST must be keys corresponding to dictionaries formatted as shown in the CrowdStrike entry example. The key should match the ”name” entry in the dictionary. For example, "OktaVerify.Plugins" = ["com.crowdstrike.zta"].
- For other MDMs, refer to the vendor's documentation. Your MDM may have alternate requirements, but still requires the Okta keys and values. The example shown on this page is for informational purposes only.
Start this procedure
- In Jamf Pro, go to .
- In the left pane, scroll down and select Application & Custom Settings.
- Choose a method for uploading the PLIST files to Jamf Pro:
- External Applications. Choose Custom Schema. See Managing Settings for Computer Applications using JSON Schema and Jamf Pro.
- Upload. See Computer Configuration Profiles.
- In your chosen upload method, enter two identical PLIST payloads. Each payload must have a distinct Preference Domain:
- First payload Preference Domain: com.okta.mobile
- Second payload Preference Domain: com.okta.mobile.auth-service-extension
- PLIST payload. For example, here's a payload for integrating with CrowdStrike ZTA using Jamf Pro:
Copy<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<managedAppConfiguration>
<dict>
<key>OktaVerify.Plugins</key>
<array>
<string>com.crowdstrike.zta</string>
</array>
<key>com.crowdstrike.zta</key>
<dict>
<key>description</key>
<string>description</string>
<key>format</key>
<string>JWT</string>
<key>location</key>
<string>/Library/Application Support/Crowdstrike/ZeroTrustAssessment/data.zta</string>
<key>name</key>
<string>com.crowdstrike.zta</string>
<key>type</key>
<string>file</string>
</dict>
</dict>
</managedAppConfiguration>
</plist> - Go to the Scope tab and assign the configuration profile to the relevant user devices.
Currently the description field in the PLIST isn't used. You can use it to show a message to end users about the signals Okta collects and the benefits of this feature.
Verify managed app configuration deployment
There are a few ways to verify that the managed app configuration was deployed successfully to a given device.
Option 1: Check System Preferences
- On the macOS device, click the System Preferences icon on the dock and hold it.
-
Click Profiles.
-
Under Device (Managed), verify that there's an entry for the profile you created in Jamf Pro is listed. For example, an entry may contain the information similar to this:
- Description: deploy app config to macOS Okta Verify shared container.
- Signed: JSS Built-In Signing Certificate
- Installed: April 1, 2021 at 11:55 AM
- Settings: Custom Settings
Option 2: Look in /Library/Managed Preferences
Make sure to open Library/Managed Preferences and not the Users Library folder.
-
On the macOS device, go to /Library/Managed Preferences.
-
Verify that the PLIST file is present in these locations:
-
The Managed Preferences folder
-
The User subfolder within Managed Preferences.
-
Disable the EDR integration plugin
If you want to disable the EDR integration plugin for a particular EDR vendor, remove the EDR-specific entry from the PLIST files and then upload them again to Jamf Pro as described in Start this procedure.