Okta Verify configurations for macOS devices
You can use your device management solution (MDM) to deploy Okta Verify configurations to domains. The configurations enable Okta Verify functionality.
Always deploy managed app configurations to both of these preference domains:
- Preference domain 1: com.okta.mobile
- Preference domain 2: com.okta.mobile.auth-service-extension
Use the following keys and values to configure Okta Verify:
OktaVerify.DeviceHealthOptions
Hide the Device Health page, or hide specific health checks in Okta Verify on user devices. If you select multiple values, separate them by a semicolon. For example, HideOSUpdate;HideDiskEncryption hides the OS update and disk encryption checks. All other device checks are shown.
If the value contains Disabled, the Device Health page isn't displayed in Okta Verify.
By default (when no values are set), all device health checks are displayed in Okta Verify on user devices.
Values (strings):
Disabled: Hides the device health page and badge.
HideOSUpdate: Hides the OS version check.
HideDiskEncryption: Hides the disk encryption check.
HideBiometrics: Hides the biometrics check.
HidePassword: Hides the password check.
Example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.DeviceHealthOptions</key>
<string>HideDiskEncryption;HideBiometrics</string>
</dict>
</plist>OktaVerify.EnableOSQueryCustomChecks
Specifies whether custom OSQuery checks can be run on this device.
Values (boolean):
True: You can run custom checks with OSQuery on this device.
False (Default): Custom checks with OSQuery are disabled from running on this device.
Example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.EnableOSQueryCustomChecks</key>
<true/>
</dict>
</plist>
OktaVerify.OSQueryAllowedDomains
Defines the organizations that can run custom OSQuery checks on this device.
Value (string): Semi-colon-separated list of organization sign-in URLs
Example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.OSQueryAllowedDomains</key>
<string>my-test-domain.oktapreview.com;my-prod-domain.oktapreview.com</string>
</dict>
</plist>
OktaVerify.EnrollmentOptions
Configure whether users are prompted to enroll in Okta Verify. You can reduce the number of user prompts or control the rollout of Okta Verify and Okta FastPass in your org.
Values (strings):
SilentEnrollmentDisabled: Default. Users who aren't enrolled in Okta Verify (not registered) are prompted to add an Okta Verify account when they attempt to access resources protected by Okta and click Sign in with Okta FastPass.
Enabled: Users are always prompted to add an Okta Verify account.
Disabled: Users are never prompted to enroll in Okta Verify unless they open the app and click Add an account.
Example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.EnrollmentOptions</key>
<string>Enabled</string>
</dict>
</plist>OktaVerify.OrgUrl
Pre-populate the org URL so that users don't have to enter this value on the First, enter your sign-in URL page. This option is available for macOS Okta Verify 2.4.1 and later.
Value (string): <org_sign-in_URL>
Example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.OrgUrl</key>
<string>acme.okta.com</string>
</dict>
</plist>OktaVerify.Plugins
Enable macOS Okta Verify to collect trust signals from the EDR client that is running on the same macOS device. See Manage endpoint security integration plugins for macOS.
Value (array): com.crowdstrike.zta
Example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<managedAppConfiguration>
<dict>
<key>OktaVerify.Plugins</key>
<array>
<string>com.crowdstrike.zta</string>
</array>
<key>com.crowdstrike.zta</key>
<dict>
<key>description</key>
<string>File-based EDR integration between Okta Verify and the Crowdstrike Falcon agent.</string>
<key>format</key>
<string>JWT</string>
<key>location</key>
<string>/Library/Application Support/Crowdstrike/ZeroTrustAssessment/data.zta</string>
<key>name</key>
<string>com.crowdstrike.zta</string>
<key>type</key>
<string>FILE</string>
</dict>
</dict>
</managedAppConfiguration>
</plist>OktaVerify.ReportDiagnostics
Configure whether Okta Verify diagnostic and crash information is shared with Okta. If not configured, end users can set this value on their app. See Share diagnostic information with Okta from your macOS device.
Value (boolean): true or false
Example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.ReportDiagnostics</key>
<true/>
</dict>
</plist>
OktaVerify.LaunchOptions
Configure whether Okta Verify shows the accounts list upon launch. If not configured, Okta Verify shows the account list upon launch.
Value (string): HideMainWindow
Example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OktaVerify.LaunchOptions</key>
<string>HideMainWindow</string>
</dict>
</plist>