Configure Okta as a CA with delegated SCEP challenge for macOS using MEM (formally Intune)

Configure a certificate authority (CA) to issue client certificates to your targeted macOS devices. This procedure describes how to create a Simple Certificate Enrollment Protocol (SCEP) profile in Microsoft Endpoint Manager (MEM) and generate a SCEP URL in Okta.

Prerequisites

  • Certificates deployed for digital signature, but not for other purposes (for example, encryption)
  • Okta Admin Console
  • Microsoft Endpoint Manager (MEM)
  • Microsoft Endpoint Manager (MEM) is a solution platform that unifies several services. It includes Microsoft Intune for cloud-based device management, Configuration Manager for on premises device management, Co-management, Desktop Analytics, Windows Autopilot, Azure Active Directory, Windows Autopilot, and Endpoint Manager admin center. You can use this procedure if you are using any of these services. For example, you can use this procedure if you are using Microsoft Intune.

  • Microsoft Azure

Start this Procedure

Task 1: Download the x509 certificate from Okta

  1. In the Okta Admin Console, go to Security > Device integrations.
  2. Click the Certificate authority tab.
  3. In the Actions column for Okta CA, click the Download x509 certificate icon.
  4. Rename the downloaded file, so that it includes a .cer extension.
  5. You will upload the certificate (CER file) to Microsoft Endpoint Manager (MEM) in Task 2.

Task 2: Create a Trusted Certificate profile in MEM

  1. In the Microsoft Endpoint Manager (MEM) admin center, go to Devices.
  2. Click Configuration profiles.
  3. Click + Create profile.
  4. In Create a profile, do the following:
    1. Platform: Select macOS.
    2. Profile type: Select Templates.
    3. In the Template name section, click Trusted certificate.
    4. The image shows the Microsoft Endpoint Configuration Manager Create a profile screen.

    5. Click Create.
  5. On the Trusted certificate page Basics tab, do the following:
    1. Name: Enter a name for the certificate.
    2. The image shows the trusted certificate screen.

    3. Description: Optional. Enter a description for the certificate.
    4. Click Next.
  6. On the Trusted certificate page Configuration settings tab, do the following:
    1. Certificate file: Select the x509 certificate (CER file) that you downloaded from Okta in Task 1.
    2. Destination store: Select Computer certificate store - Intermediate.
    3. Click Next.
  7. On the Trusted certificate page Assignments tab, do the following:
    1. Included groups: Assign the trusted certificate profile to one or more user groups. The user group(s) must be the same as the group(s) you will assign the SCEP profile to in Task 5.
    2. Make sure the user group(s) specified in both profiles are the same.

    3. Click Next.
  8. On the Trusted certificate page Applicability rules tab, do the following:
    1. Configure any required rules.
    2. Click Next.
  9. On the Trusted certificate page Review + create tab, review the configuration, and then click Create.

Task 3: Register the AAD app credentials for Okta in Microsoft Azure

  1. In Microsoft Azure, click App registrations.
  2. Click + New registration.
  3. On the Register an application page, enter the following:
    1. Name: Enter a meaningful name for the application.
    2. Supported account types: Select the appropriate supported account type. Okta tested with Accounts in this organizational directory only ([Your_Tenant_Name] only - Single tenant) selected.
    3. Redirect URI (optional): Leave blank, or select Web, and then enter a redirect URI.
    4. Click Register.
  4. On the app page under Essentials, copy and make a note of the Application (client) ID.
  5. You will paste this value in the Okta Admin Console in Task 4.

    The image indicates where to find the Application (client) ID.

  6. Add a client secret:
    1. In the left pane, click Certificates & secrets.
    2. Under Client secrets, click + New client secret.
    3. In the Add a client secret section, enter the following:
      • Description: Optional. Enter a description for the client secret.
      • Expires: Select an expiration time period.
    4. Click Add.
    5. The secret appears under Client secrets.

    6. In the Client secrets section, copy and make a note of the Value.
    7. The image indicates where to find the client secret value.

  7. Set the Intune scep_challenge_provider permissions:
    1. In the left pane, click API permissions.
    2. Click + Add a permission.
    3. In the Request API permissions section, scroll down, and then click Intune.
    4. Under What type of permissions does your application require?, click Application permissions.
    5. In the Select permissions search field, enter scep, and then select the scep_challenge_provider checkbox.
    6. The image shows the Request API permissions settings.

    7. Click Add permissions.
    8. In the Configured permissions section, click P Grant admin consent for [Your_Tenant_Name].
    9. The image indicates the location of the Grant admin consent button.

    10. Click Yes in the message that appears.
  8. Set the Microsoft Graph Application.Read.All permissions:

    1. Click + Add a permission.
    2. In the Request API permissions section, click Microsoft Graph.
    3. Under What type of permissions does your application require? click Application permissions.
    4. In the Select permissions search field, enter application, expand Application, and then select the Application.Read.All checkbox.
    5. Click Add permissions.
    6. In the Configured permissions section, click P Grant admin consent for [Your_Tenant_Name].
    7. Click Yes in the message that appears.

Task 4: Configure management attestation and generate a SCEP URL in Okta

  1. In the Okta Admin Console, go to Security > Device integrations.
  2. Click the Endpoint management tab.
  3. Click Add platform.

    If you add more than one configuration for the same type of platform, see this known issue.

  4. Select Desktop (Windows and macOS only).
  5. Click Next.
  6. Configure the following:
    1. Certificate authority: Select Use Okta as certificate authority.
    2. SCEP URL challenge type: Select Dynamic SCEP URL, and then select Microsoft Intune (delegated SCEP).
    3. Enter the values that you copied from Microsoft Azure into the following fields:
      • AAD client ID: Enter the value you copied from Task 3.
      • AAD tenant: Enter your AAD tenant name followed by .onMicrosoft.com.
      • AAD secret: Enter the secret Value you copied from Task 3.
    4. For example:

      The screenshot provides an example of the management attestation.

  7. Click Generate.
  8. Copy and save the Okta SCEP URL. You will paste the URL in Microsoft Endpoint Manager in Task 5.

Task 5: Create a SCEP profile in MEM

  1. In the Microsoft Endpoint Manager (MEM), go to Devices.
  2. Click Configuration profiles.
  3. Click + Create profile.
  4. In Create a profile, enter the following:
    1. Platform: Select macOS.
    2. Profile type: Select Templates.
    3. Under Template name, click SCEP certificate.
    4. The image shows the Create a profile screen.

    5. Click Create.
  5. On the SCEP certificate page Basics tab, do the following:
    1. Name: Enter a name for the certificate.
    2. Description: Optional. Enter a description for the certificate.
    3. The image shows the SCEP certificate screen.

    4. Click Next.

  6. On the SCEP certificate page Configuration settings tab, do the following:
    1. Certificate type: Select User.

    2. Subject name format: Enter a subject name. For example, CN={{UserPrincipalName}} managementAttestation {{DeviceId}}.

    3. Okta does not require the subject name to be in any particular format. Choose a name that indicates that the certificate is used as the device management signal to Okta. As a best practice, you can also include profile variables provided by MEM to include the device ID (UDID) and user identifier. For a list of supported variables, see MEM document Use SCEP certificate profiles with Microsoft Intune.

    4. Certificate validity period: Select Years in the list, and then enter 1 in the next field.

    5. Key usage: Select Digital signature.

    6. Key size (bits): Select 2048.

    7. Click + Root Certificate.

    8. On the Root Certificate page, select the trusted certificate that you created earlier in Task 2.

    9. Click OK.
    10. Under Extended key usage, set Predefined values to Client Authentication.

    11. SCEP Server URLs: Enter the SCEP URL you generated in Task 4.

    12. Allow all apps access to private key: Select Enable.

    13. Microsoft Endpoint Configuration Manager SCEP certificate screen.

    14. Click Next.

  7. On the SCEP certificate page Assignments tab, do the following:
    1. Assign the SCEP certificate to the same user group(s) to which you assigned the Trusted certificate profile in Task 2.
    2. Make sure the user group(s) specified in both profiles are the same.

    3. Click Next.
  8. On the SCEP certificate page Review + create tab, review the configuration, and then click Create.

Task 6: Verify that the SCEP certificate was installed on your macOS devices

  1. On a macOS device managed by MEM, open Keychain > Login.
  2. Verify that a client certificate and associated private key exists.
  3. Make sure the private key is accessible to all applications:
    1. Double-click the private key.
    2. Click the Access Control tab.
    3. Select Allow all applications to access this item.
    4. The image shows the Access Control tab.

    5. Click Save Changes.

Next steps

Add an authentication policy rule for desktop