Manage endpoint security integration plugins for macOS

Endpoint security integration plugins extend the functionality of the Okta endpoint security integration feature.

To enable plugins on macOS devices, you need to configure and deploy a managed app configuration using your device management solution. The configuration enables you Okta Verify to collect trust signals from your EDR client running on the same device.

Currently, Okta EDR integration for macOS only supports CrowdStrike ZTA. Support for other EDR solutions is planned for the future.

Prerequisites

Verify that the following settings are in place:

Managed app configuration

The managed app configuration contains information that Okta Verify uses to create the EDR integration plugin. Entries in the configuration correspond to the EDR vendors that you integrate with Okta. When users try to access a protected resource, Okta Verify reads the entry to collect signals from the EDR. For example, the entry for CrowdStrike looks like this:

Copy 
{
  "OktaVerify.Plugins" = ["com.crowdstrike.zta"],
  {
  "name": "com.crowdstrike.zta",
  "description": "File based EDR integration between Okta Verify and the Crowdstrike Falcon agent.",
  "location": "/Library/Application Support/Crowdstrike/ZeroTrustAssessment/data.zta",
  "type": "FILE",
  "format": "JWT"
  }

Currently, as shown in the example entry, this EDR integration supports only "type": "FILE" and Crowdstrike.

Jamf Pro-specific example

This example shows how to deploy a managed app configuration using Jamf Pro, but any device management solution that supports deploying a managed app configuration to Apple devices should work with the Okta key name and value.

In this example, you upload the managed app configurations and two distinct Preference Domains (bundle IDs) to Jamf Pro. The configuration must have the following properties:

  • Identical entries but different names that correspond to their distinct Preference Domain (bundleID) in Jamf Pro.
  • The configuration must include an entry with an array of all the integration names attached to:
    • Key:OktaVerify.Plugins
  • All other entries in the PLIST must be keys corresponding to dictionaries formatted as shown in the CrowdStrike entry example. The key should match the "name" entry in the dictionary. For example, "OktaVerify.Plugins" = ["com.crowdstrike.zta"].
  • For other MDMs, refer to the vendor's documentation. Your MDM may have alternate requirements, but still requires the Okta keys and values. The example shown on this page is for informational purposes only.

Start this procedure

  1. In Jamf Pro, go to ComputersConfiguration Profiles+ New.
  2. In the left pane, scroll down and select Application & Custom Settings.
  3. Choose a method for uploading the PLIST files to Jamf Pro:
  4. In your chosen upload method, enter two identical PLIST payloads. Each payload must have a distinct Preference Domain:
    • First payload Preference Domain: com.okta.mobile
    • Second payload Preference Domain: com.okta.mobile.auth-service-extension
    • PLIST payload. For example, here's a payload for integrating with CrowdStrike ZTA using Jamf Pro:

    • Copy
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
      <plist version="1.0">
      <managedAppConfiguration>
      <dict>
      <key>OktaVerify.Plugins</key>
      <array>
      <string>com.crowdstrike.zta</string>
      </array>
      <key>com.crowdstrike.zta</key>
      <dict>
      <key>description</key>
      <string>File-based EDR integration between Okta Verify and the Crowdstrike Falcon agent</string>
      <key>format</key>
      <string>JWT</string>
      <key>location</key>
      <string>/Library/Application Support/Crowdstrike/ZeroTrustAssessment/data.zta</string>
      <key>name</key>
      <string>com.crowdstrike.zta</string>
      <key>type</key>
      <string>FILE</string>
      </dict>
      </dict>
      </managedAppConfiguration>
      </plist>

    Currently the description field in the PLIST isn't used. You can use it to show a message to end users about the signals Okta collects and the benefits of this feature.

  5. Go to the Scope tab and assign the configuration profile to the relevant user devices.

Verify managed app configuration deployment

There are a few ways to verify that the managed app configuration was deployed successfully to a given device.

Option 1: Check System Preferences

  1. On the macOS device, click the System Preferences icon on the dock and hold it.

  2. Click Profiles.

  3. Under Device (Managed), verify that there's an entry for the profile you created in Jamf Pro is listed. For example, an entry may contain the information similar to this:

    • Description: deploy app config to macOS Okta Verify shared container.
    • Signed: JSS Built-In Signing Certificate
    • Installed: April 1, 2021 at 11:55 AM
    • Settings: Custom Settings

Option 2: Look in /Library/Managed Preferences

Make sure to open Library/Managed Preferences and not the Users Library folder.

  1. On the macOS device, go to /Library/Managed Preferences.

  2. Verify that the PLIST file is present in these locations:

    • The Managed Preferences folder

    • The User subfolder within Managed Preferences.

Disable the EDR integration plugin

If you want to disable the EDR integration plugin for a particular EDR vendor, remove the EDR-specific entry from the PLIST files and then upload them again to Jamf Pro as described in Start this procedure.

Next steps

Validate your endpoint security integration