Managed app configurations for macOS devices

You can use your device management solution to deploy managed app configurations to domains. The managed app configurations allow you to enable functionality that is built into macOS Okta Verify.

Always deploy managed app configurations to both of these preference domains:

Preference domain 1: com.okta.mobile
Preference domain 2: com.okta.mobile.auth-service-extension

Use the examples in this table to help you configure your managed app configurations:

Key	Value	Description
DeviceHealthOptions	Type: String By default (not set), all device health check functions are displayed in Okta Verify on end-user devices. Disabled: Hides the device health screen and badge. HideOSUpdate: Hides the OS version check in Okta Verify on end-user devices. HideDiskEncryption: Hides the disk encryption check in Okta Verify on end-user devices. HideBiometrics: Hides the biometrics check in Okta Verify on end-user devices. HidePassword: Hides the password check in Okta Verify on end-user devices.	Hide the Device Health page, or hide specific health checks in Okta Verify on end-user devices. You can select multiple values. Separate the values by using a semicolon. For example, HideOSUpdate;HideDiskEncryption hides the OS update and disk encryption checks. All other device checks are shown. If the value contains Disabled, the Device Health page isn't displayed in Okta Verify. Example: Copy `<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>DeviceHealthOptions</key> <string>HideDiskEncryption;HideBiometrics</string> </dict> </plist>`
OktaVerify.EnrollmentOptions	SilentEnrollmentEnabled Type: String	Automatically launch the Okta Verify enrollment flow for unregistered users By default, if users are not enrolled in Okta Verify (unregistered), they are not automatically placed in the enrollment flow when they attempt to access resources that are protected by Okta Verify authentication. To launch the enrollment process, users need to click Sign in with Okta Verify. This feature configures Okta Verify to automatically launch the enrollment flow for unregistered users, so that they are not prompted to click Sign in with Okta Verify. Example: Copy `<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>OktaVerify.EnrollmentOptions</key> <string>SilentEnrollmentEnabled</string> </dict> </plist>`
OktaVerify.OrgUrl	<org_sign-in_URL> Type: String	Pre-populate the org URL Enables admins to pre-populate the First, enter your sign-in URL screen with a sign-in URL, so end users do not need to enter it. This is available for macOS Okta Verify v2.4.1 and later. Example: Copy `<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>OktaVerify.OrgUrl</key> <string>acme.okta.com</string> </dict> </plist>`
OktaVerify.Plugins	com.crowdstrike.zta Type: String	Enable EDR plugin for macOS Okta Verify Enables macOS Okta Verify to collect trust signals from the EDR client that is running on the same macOS device. See Manage endpoint security integration plugins for macOS. Example: Copy `<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>OktaVerify.Plugins</key> <string>com.crowdstrike.zta</string> </dict> </plist>`
OktaVerify.ReportDiagnostics	true or false Type: Boolean	Configure whether to report diagnostic information Enables admins to configure whether Okta Verify diagnostic and crash information is shared with Okta. If not configured, end users can set this value on their app. See Share diagnostic information with Okta from your macOS device. Example: Copy `<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>OktaVerify.ReportDiagnostics</key> <bool>true</bool> </dict> </plist>`

Key

Value

Description

DeviceHealthOptions

Type: String

By default (not set), all device health check functions are displayed in Okta Verify on end-user devices.

Disabled: Hides the device health screen and badge.

HideOSUpdate: Hides the OS version check in Okta Verify on end-user devices.

HideDiskEncryption: Hides the disk encryption check in Okta Verify on end-user devices.

HideBiometrics: Hides the biometrics check in Okta Verify on end-user devices.

HidePassword: Hides the password check in Okta Verify on end-user devices.

Hide the Device Health page, or hide specific health checks in Okta Verify on end-user devices.

You can select multiple values. Separate the values by using a semicolon. For example, HideOSUpdate;HideDiskEncryption hides the OS update and disk encryption checks. All other device checks are shown.

If the value contains Disabled, the Device Health page isn't displayed in Okta Verify.

Example:

Copy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DeviceHealthOptions</key>
<string>HideDiskEncryption;HideBiometrics</string>
</dict>
</plist>

OktaVerify.EnrollmentOptions

SilentEnrollmentEnabled

Type: String

Automatically launch the Okta Verify enrollment flow for unregistered users

By default, if users are not enrolled in Okta Verify (unregistered), they are not automatically placed in the enrollment flow when they attempt to access resources that are protected by Okta Verify authentication. To launch the enrollment process, users need to click Sign in with Okta Verify.

This feature configures Okta Verify to automatically launch the enrollment flow for unregistered users, so that they are not prompted to click Sign in with Okta Verify.

Example:

Copy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.EnrollmentOptions</key>
<string>SilentEnrollmentEnabled</string>
</dict>
</plist>

OktaVerify.OrgUrl

<org_sign-in_URL>

Type: String

Pre-populate the org URL

Enables admins to pre-populate the First, enter your sign-in URL screen with a sign-in URL, so end users do not need to enter it.

This is available for macOS Okta Verify v2.4.1 and later.

Example:

Copy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.OrgUrl</key>
<string>acme.okta.com</string>
</dict>
</plist>

OktaVerify.Plugins

com.crowdstrike.zta

Type: String

Enable EDR plugin for macOS Okta Verify

Enables macOS Okta Verify to collect trust signals from the EDR client that is running on the same macOS device.

See Manage endpoint security integration plugins for macOS.

Example:

Copy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.Plugins</key>
<string>com.crowdstrike.zta</string>
</dict>
</plist>

OktaVerify.ReportDiagnostics

true or false

Type: Boolean

Configure whether to report diagnostic information

Enables admins to configure whether Okta Verify diagnostic and crash information is shared with Okta. If not configured, end users can set this value on their app.

See Share diagnostic information with Okta from your macOS device.

Example:

Copy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.ReportDiagnostics</key>
<bool>true</bool>
</dict>
</plist>