Manage endpoint security integration plugins for Windows
Endpoint security integration plugins extend the functionality of the Okta endpoint security integration feature by enabling Okta Verify to collect trust signals from the Windows device where it's running.
You can use a mobile device management (MDM) tool to configure the plugins on your Windows device (for example, by using PowerShell scripts). You can run these scripts to install and uninstall the plugins on a device-by-device basis. This allows you to specify which device signals to collect.
On Windows devices, these plugins are in the %PROGRAMDATA%\Okta\OktaVerify\Plugins folder.
Before you begin
-
Set up endpoint security integrations. See Get started with endpoint security integrations.
-
Enable Okta FastPass. See Enable Okta FastPass.
-
Verify that your Windows devices are registered with Okta. See Device registration.
-
Verify that the client software meets the minimum requirements:
-
Okta Verify for Windows 3.0 or later
-
CrowdStrike Falcon Agent 6.14 or later
-
Install the WSC endpoint security integration plugin
By default, the Windows Security Center (WSC) plugin is installed automatically when Okta Verify is installed.
If you need to reinstall the plugin later for any reason, uninstall the current version, and then use this script.
$content = "{`r`n`t`"name`": `"com.okta.windowsSecurityCenter`",`r`n`t`"description`": `"Okta provided integration collecting signals through the Windows Security Center APIs.`",`r`n`t`"type`": `"DEFAULT`",`r`n`t`"format`": `"JSON`",`r`n`t`"availabilityChecks`": [`r`n`t`t{`r`n`t`t`t`"type`": `"SERVICE_RUNNING`",`r`n`t`t`t`"value`": `"wscsvc`"`r`n`t`t}`r`n`t]`r`n}"
$path = $env:ProgramData + "\Okta\OktaVerify\Plugins\"
$filePath = $path + "com.okta.windowsSecurityCenter.json"
if (-not (Test-Path $path))
{
New-Item $path -ItemType Directory
}
$content | Out-File -FilePath $filePathThe PowerShell script configures the following JSON plugin file:
{
"name": "com.okta.windowsSecurityCenter",
"description": "Okta provided integration collecting signals through the Windows Security Center APIs.",
"type": "DEFAULT",
"format": "JSON",
"availabilityChecks": [
{
"type": "SERVICE_RUNNING",
"value": "wscsvc"
}
]
}Install the CrowdStrike endpoint security integration plugin
The CrowdStrike plugin isn't installed automatically when Okta Verify is installed. Based on your installation scenario, uninstall the current version if one exists, and then follow the appropriate installation procedure:
Deploying Okta Verify to Windows devices
Don't use the PowerShell script in this scenario. Instead, use the command line provided by your management tool (GPO, MDM software) to include the EnableZTAPlugin flag in the installation command.
See Deploy Okta Verify to Windows devices for installation options.
All other deployment scenarios
Other scenarios may include:
- The end user installed Okta Verify on their device, rather than an admin through a management tool.
- You want to enable or disable functionality after Okta Verify is already installed on the device.
Use the following PowerShell script:
$content = "{`r`n`t`"name`": `"com.crowdstrike.zta`",`r`n`t`"description`": `"Okta provided integration with CrowdStrike Falcon endpoint collecting the zta score.`",`r`n`t`"type`": `"FILE`",`r`n`t`"format`": `"JWT`",`r`n`t`"location`": `"%ProgramData%\\CrowdStrike\\ZeroTrustAssessment\\data.zta`",`r`n`t`"availabilityChecks`": [`r`n`t`t{`r`n`t`t`t`"type`": `"SERVICE_RUNNING`",`r`n`t`t`t`"value`": `"csagent`"`r`n`t`t}`r`n`t]`r`n}"
$path = $env:ProgramData + "\Okta\OktaVerify\Plugins\"
$filePath = $path + "com.crowdstrike.zta.json"
if (-not (Test-Path $path))
{
New-Item $path -ItemType Directory
}
[System.IO.File]::WriteAllText($filePath, $content)The PowerShell script produces the JSON plugin file:
{
"name": "com.crowdstrike.zta",
"description": "Okta provided integration with CrowdStrike Falcon endpoint collecting the zta score.",
"type": "FILE",
"format": "JWT",
"location": "%ProgramData%\\CrowdStrike\\ZeroTrustAssessment\\data.zta",
"availabilityChecks": [
{
"type": "SERVICE_RUNNING",
"value": "csagent"
}
]
}Install the osquery integration plugin
The osquery integration plugin is needed for the advanced posture checks feature. This plugin isn't installed automatically when Okta Verify is installed.
The plugin requires the EnableOSQueryCustomChecks configuration value to be set along with a plugin manifest file containing a list of allowed domains. See EnableOSQueryCustomChecks in Okta Verify configurations for Windows devices.
Use the following PowerShell script to produce the manifest file:
$manifest = [ordered]@{
name = "com.okta.device.osquery"
description = "Okta provided integration collecting signals through osquery."
type = "com.okta.device.osquery"
format = "JSON"
timeout = 10000
allowedDomains = @("okta.okta.com", "okta.example.com") # Add your allowed domains here
}
$filePath = "$env:ProgramData\Okta\OktaVerify\Plugins\com.okta.device.osquery.json"
$content = $manifest | ConvertTo-Json
$utf8 = New-Object System.Text.UTF8Encoding($false)
[System.IO.File]::WriteAllText($filePath, $content, $utf8)
Example manifest file:
{
"name": "com.okta.device.osquery",
"description": "Okta provided integration collecting signals through osquery.",
"type": "com.okta.device.osquery",
"format": "JSON",
"timeout": 10000,
"allowedDomains": [
"okta.okta.com",
"okta.example.com"
]
}Uninstall an endpoint security integration plugin
Always uninstall the current endpoint security integration plugin before installing a new version.
To uninstall an endpoint security integration plugin from Windows computers for any reason, use the following PowerShell script.
$path = $env:ProgramData + "\Okta\OktaVerify\Plugins\[JSON_FILE_NAME]"
if ((Test-Path $path))
{
Remove-Item -Path $path
}Replace [JSON_FILE_NAME] in the PowerShell script with the applicable JSON file:
- Windows Security Center: com.okta.windowsSecurityCenter.json
- CrowdStrike: com.crowdstrike.zta.json
- osquery: com.okta.device.osquery.json