Okta Verify configurations for macOS devices
You can use your Mobile Device Management (MDM) solution to deploy Okta Verify configurations to domains.
Configuration options enable different aspects of Okta Verify functionality.
Always deploy managed app configurations to both of these preference domains:
- Preference domain 1: com.okta.mobile
- Preference domain 2: com.okta.mobile.auth-service-extension
Configuration options
Use the following keys and values to configure Okta Verify:
OktaVerify.DeviceHealthOptions
Hide the Device Health page or hide specific health checks in Okta Verify on user devices.
If you select multiple values, separate them by a semicolon. For example, HideOSUpdate;HideDiskEncryption hides the OS update and disk encryption checks. All other device checks are shown.
If the value contains Disabled, Okta Verify doesn't display the Device Health page.
No values are set by default, so Okta Verify displays all device health checks on user devices.
| Value [String] | Description |
|---|---|
|
Disabled |
Hides the device health page and badge. |
|
HideOSUpdate |
Hides the OS version check. |
|
HideDiskEncryption |
Hides the disk encryption check. |
|
HideBiometrics |
Hides the biometrics check. |
|
HidePassword |
Hides the password check. |
Example
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.DeviceHealthOptions</key>
<string>HideDiskEncryption;HideBiometrics</string>
</dict>
</plist>OktaVerify.EnableOSQueryCustomChecks
Specifies whether custom osquery checks can be run on this device.
| Value [Boolean] | Description |
|---|---|
|
True |
You can run custom checks with osquery on this device. |
|
False |
Custom checks with osquery are disabled from running on this device. This is the default. |
Example
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.EnableOSQueryCustomChecks</key>
<true/>
</dict>
</plist>OktaVerify.EnrollmentOptions
Configure whether users are prompted to enroll in Okta Verify. You can reduce the number of user prompts or control the rollout of Okta Verify and Okta FastPass in your org.
| Value [String] | Description |
|---|---|
|
SilentEnrollmentDisabled |
Users are prompted to enroll in Okta Verify if they attempt to sign in with Okta FastPass, but don't yet have an Okta Verify account enrolled on their device. This is the default. |
|
Enabled |
Users are prompted to add an Okta Verify account if the app is running and they try to access a resource that has a registered or managed device condition. |
|
Disabled |
Users aren't prompted to enroll in Okta Verify unless they open the app and click Add an account. |
Example
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.EnrollmentOptions</key>
<string>Enabled</string>
</dict>
</plist>OktaVerify.LaunchOptions
Configure whether Okta Verify shows the accounts list upon launch.
If this option isn't configured, Okta Verify shows the account list upon launch.
| Value [String] | Description |
|---|---|
|
HideMainWindow |
Hides the accounts list on launch. |
Example
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.LaunchOptions</key>
<string>HideMainWindow</string>
</dict>
</plist> OktaVerify.OrgUrl
Pre-populate the org URL so that users don't have to enter this value on the First, enter your sign-in URL page.
| Value [String] | Description |
|---|---|
|
<your.org.signin.url> |
The org sign-in URL. |
This option is available in Okta Verify 2.4.1 and later.
Example
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.OrgUrl</key>
<string>atko.okta.com</string>
</dict>
</plist>OktaVerify.OSQueryAllowedDomains
Defines the orgs that can run custom OSQuery checks on this device.
| Value [String] | Description |
|---|---|
|
{your.org.signin.url} |
Semi-colon-separated list of organization sign-in URLs. |
Example
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.OSQueryAllowedDomains</key>
<string>my-test-domain.oktapreview.com;my-prod-domain.oktapreview.com</string>
</dict>
</plist>OktaVerify.OSQueryCustomChecksTimeout
This parameter is optional. You can use this value to customize the osquery timeout value and fine-tune device posture checks.
| Value [String] | Description |
|---|---|
|
<time_in_seconds> |
Specifies the timeout value in seconds. The default value is 2. |
Example
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.OSQueryCustomChecksTimeout</key>
<string>3</string>
</dict>
</plist>OktaVerify.Plugins
Enable Okta Verify to collect trust signals from an EDR client that's running on the same macOS device. See Manage endpoint security integration plugins for macOS.
| Value [Array] | Description |
|---|---|
|
<com.crowdstrike.zta> |
The EDR client. |
Example
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<managedAppConfiguration>
<dict>
<key>OktaVerify.Plugins</key>
<array>
<string>com.crowdstrike.zta</string>
</array>
<key>com.crowdstrike.zta</key>
<dict>
<key>description</key>
<string>File-based EDR integration between Okta Verify and the CrowdStrike Falcon agent.</string>
<key>format</key>
<string>JWT</string>
<key>location</key>
<string>/Library/Application Support/Crowdstrike/ZeroTrustAssessment/data.zta</string>
<key>name</key>
<string>com.crowdstrike.zta</string>
<key>type</key>
<string>FILE</string>
</dict>
</dict>
</managedAppConfiguration>
</plist>OktaVerify.ReportDiagnostics
Configure whether Okta Verify diagnostic and crash information is shared with Okta.
If this option isn't configured, end users can set this value on their app. See Share diagnostic information with Okta from your macOS device.
| Value [Boolean] | Description |
|---|---|
|
True |
Diagnostic and crash information is shared with Okta. |
|
False |
Diagnostic and crash information isn't shared with Okta. |
Example
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.ReportDiagnostics</key>
<true/>
</dict>
</plist>
OktaVerify.UserVerificationEnrollment
Configure the user verification enrollment behavior for Okta Verify. If this option isn't configured, the server configuration determines the enrollment behavior.
The user verification enrollment setting on the Okta Verify client app controls the app's enrollment behavior, but the enrollment policy that's configured on your org can enforce a minimum requirement.
If you set the user verification level on your org to Required, then a client that's set to Deferred, Disabled, or Preferred doesn't satisfy that requirement and enrollment is denied.
| Value [String] | Description |
|---|---|
|
Disabled |
Users aren't prompted to set up user verification during enrollment. The option to enable user verification in the Accounts page isn't available in the Okta Verify app. |
|
Deferred |
Okta Verify skips the user verification enrollment page. Users can enable user verification later through the Accounts page in the Okta Verify app. |
|
Preferred |
Okta Verify prompts users to enroll in user verification, but they can click Not now to skip. |
|
Required |
Users must enroll in user verification and can't remove it afterward. |
|
RequiredBiometric |
Users must enroll in user verification using Touch ID and can't remove it afterward. |
Example
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.UserVerificationEnrollment</key>
<string>Required</string>
</dict>
</plist>OktaVerify.UserPrincipalName
The OktaVerify.UserPrincipalName value is used to populate a username during user-driven enrollment flows.
| Value [String] | Description |
|---|---|
|
$USERNAME: Jamf Pro |
A wild-card variable provided by your MDM provider that resolves to a valid Okta username. |
Example
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.OrgUrl</key>
<string>https://customerorg.okta.com</string>
<key>OktaVerify.UserPrincipalName</key>
<string>$USERNAME</string>
</dict>
</plist>