Manage EDR integration plugins for macOS
Okta Endpoint Detection and Response (EDR) integration plugins extend the functionality of the Okta EDR integration feature.
To enable plugins on macOS devices, you need to configure and push a managed app configuration using your device management solution. The configuration enables Okta Verify to collect trust signals from your EDR client running on the same device.
Currently, Okta EDR integration for macOS only supports CrowdStrike ZTA. Support for other EDR solutions is planned for the future.
- Before you begin
- Managed app configuration
- Start this procedure
- Verify managed app configuration deployment
- Disable the EDR integration plugin
- Next steps
- EDR integration is enabled for your org
- macOS devices are:
- You are familiar with these Jamf Pro documents:
The managed app configuration contains information that Okta Verify uses to create the EDR integration plugin. Entries in the configuration correspond to the EDR vendors that you integrate with Okta. When users try to access a protected resource, Okta Verify reads the entry to collect signals from the EDR. For example, the entry for CrowdStrike looks like this:
"description": "File based EDR integration between Okta Verify and the Crowdstrike Falcon agent.",
"location": "/Library/Application Support/Crowdstrike/ZeroTrustAssessment/OVSignals.zta",
Currently, as shown in the example entry, this EDR integration supports only "type": "FILE" and Crowdstrike.
Jamf Pro-specific example
This example shows how to push a managed app configuration using Jamf Pro, but any device management solution that supports deploying a managed app configuration to Apple devices should work.
In this example, you upload the managed app configurations and two distinct Preference Domains (bundle IDs) to Jamf Pro. The configuration must have the following properties:
- Identical entries but different names that correspond to their distinct Preference Domain (bundleID) in Jamf Pro.
- The configuration must include an entry with an array of all the integration names attached to:
- Key: OktaVerify.Plugins
- All other entries in the PLIST must be keys corresponding to dictionaries formatted as shown in the CrowdStrike entry example. The key should match the ”name” entry in the dictionary. For example, "OktaVerify.Plugins" = ["com.crowdstrike.zta"].
- In Jamf Pro, go to Computers > Configuration Profiles > + New.
- In the left pane, scroll down and select Application & Custom Settings.
- Choose a method for uploading the PLIST files to Jamf Pro:
- External Applications. Choose Custom Schema. See Managing Settings for Computer Applications using JSON Schema and Jamf Pro.
- Upload. See Computer Configuration Profiles.
- First payload Preference Domain: com.okta.mobile
- Second payload Preference Domain: com.okta.mobile.auth-service-extension
- PLIST payload. For example, here's a payload for integrating with CrowdStrike ZTA using Jamf Pro:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
Currently the description field in the PLIST is not used. You can use it to show a message to end users about the signals Okta collects and the benefits of this feature.
There are a few ways to verify that the managed app configuration was deployed successfully to a given device.
Option 1: Check System Preferences
- On the macOS device, open System Preferences.
Under Device (Managed), verify that there's an entry for the profile you created in Jamf Pro is listed. For example, an entry may contain the information similar to this:
- Description: deploy app config to macOS Okta Verify shared container.
- Signed: JSS Built-In Signing Certificate
- Installed: April 1, 2021 at 11:55 AM
- Settings: Custom Settings
Option 2: Look in /Library/Managed Preferences
Make sure to open Library/Managed Preferences and not Users Library folder.
On the macOS device, go to /Library/Managed Preferences.
Verify that the PLIST file is present in these locations:
Managed Preferences folder
The User subfolder within Managed Preferences.
If you want to disable the EDR integration plugin for a particular EDR vendor, remove the EDR-specific entry from the PLIST files and then upload them again to Jamf Pro as described in Start this procedure.