Manage EDR integration plugins for macOS

Okta Endpoint Detection and Response (EDR) integration plugins extend the functionality of the Okta EDR integration feature.

To enable plugins on macOS devices, you need to configure and push a managed app configuration using your device management solution. The configuration enables Okta Verify to collect trust signals from your EDR client running on the same device.

Currently, Okta EDR integration for macOS only supports CrowdStrike ZTA. Support for other EDR solutions is planned for the future.

Before you begin

Verify that:

Managed app configuration

The managed app configuration contains information that Okta Verify uses to create the EDR integration plugin. Entries in the configuration correspond to the EDR vendors that you integrate with Okta. When users try to access a protected resource, Okta Verify reads the entry to collect signals from the EDR. For example, the entry for CrowdStrike looks like this:

{

"name": "com.crowdstrike.zta",

"description": "File based EDR integration between Okta Verify and the Crowdstrike Falcon agent.",

"location": "/Library/Application Support/Crowdstrike/ZeroTrustAssessment/OVSignals.zta",

"type": "FILE",

"format": "JWT"

}

Currently, as shown in the example entry, this EDR integration supports only "type": "FILE" and Crowdstrike.

Jamf Pro-specific example

This example shows how to push a managed app configuration using Jamf Pro, but any device management solution that supports deploying a managed app configuration to Apple devices should work.

In this example, you upload the managed app configurations and two distinct Preference Domains (bundle IDs) to Jamf Pro. The configuration must have the following properties:

  • Identical entries but different names that correspond to their distinct Preference Domain (bundleID) in Jamf Pro.
  • The configuration must include an entry with an array of all the integration names attached to:
    • Key: OktaVerify.Plugins
  • All other entries in the PLIST must be keys corresponding to dictionaries formatted as shown in the CrowdStrike entry example. The key should match the ”name” entry in the dictionary. For example, "OktaVerify.Plugins" = ["com.crowdstrike.zta"].

Start this procedure

  1. In Jamf Pro, go to Computers > Configuration Profiles > + New.
  2. In the left pane, scroll down and select Application & Custom Settings.
  3. Choose a method for uploading the PLIST files to Jamf Pro:
  4. In your chosen upload method, enter two identical PLIST payloads. Each payload must have a distinct Preference Domain:
    • First payload Preference Domain: com.okta.mobile
    • Second payload Preference Domain: com.okta.mobile.auth-service-extension
    • PLIST payload. For example, here's a payload for integrating with CrowdStrike ZTA using Jamf Pro:
    •  

      <?xml version="1.0" encoding="UTF-8"?>

      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

      <plist version="1.0">

      <managedAppConfiguration>

      <dict>

      <key>OktaVerify.Plugins</key>

      <array>

      <string>com.crowdstrike.zta</string>

      </array>

      <key>com.crowdstrike.zta</key>

      <dict>

      <key>description</key>

      <string>description</string>

      <key>format</key>

      <string>JWT</string>

      <key>location</key>

      <string>/Library/Application Support/Crowdstrike/ZeroTrustAssessment/data.zta</string>

      <key>name</key>

      <string>com.crowdstrike.zta</string>

      <key>type</key>

      <string>file</string>

      </dict>

      </dict>

      </managedAppConfiguration>

      </plist>

  5.  

    Currently the description field in the PLIST is not used. You can use it to show a message to end users about the signals Okta collects and the benefits of this feature.

     

  6. Go to the Scope tab and assign the configuration profile to the relevant end user devices.

Verify managed app configuration deployment

There are a few ways to verify that the managed app configuration was deployed successfully to a given device.

Option 1: Check System Preferences

  1. On the macOS device, open System Preferences.
  2. Open Profiles.

  3. Under Device (Managed), verify that there's an entry for the profile you created in Jamf Pro is listed. For example, an entry may contain the information similar to this:

    • Description: deploy app config to macOS Okta Verify shared container.
    • Signed: JSS Built-In Signing Certificate
    • Installed: April 1, 2021 at 11:55 AM
    • Settings: Custom Settings

Option 2: Look in /Library/Managed Preferences

Make sure to open Library/Managed Preferences and not Users Library folder.

  1. On the macOS device, go to /Library/Managed Preferences.

  2. Verify that the PLIST file is present in these locations:

    • Managed Preferences folder

    • The User subfolder within Managed Preferences.

Disable the EDR integration plugin

If you want to disable the EDR integration plugin for a particular EDR vendor, remove the EDR-specific entry from the PLIST files and then upload them again to Jamf Pro as described in Start this procedure.

Next steps