Configure Okta as a CA with dynamic SCEP challenge for macOS using Jamf Pro

Configure a Certificate Authority (CA), so you can issue client certificates to your targeted macOS devices. This procedure describes how to generate a Simple Certificate Enrollment Protocol (SCEP) URL in Okta and create a dynamic Simple Certificate Enrollment Protocol (SCEP) profile using Jamf Pro.

Before you begin

Make sure you have access to the following:

Certificates deployed for digital signature, but not for other purposes (for example, encryption)
Okta Admin Console
Jamf Pro dashboard

If you're using AirWatch, use static SCEP. AirWatch has known issues with dynamic SCEP.

Start this procedure

Task 1: Configure management attestation and generate a SCEP URL
Task 2: Create a dynamic SCEP profile
Task 3: Configure targets for deploying the SCEP profile in Jamf Pro
Task 4: Verify that the Okta CA was installed on your devices

Task 1: Generate a SCEP URL

In the Admin Console, go to SecurityDevice integrations.
On the Endpoint management tab, click Add platform.
Select Desktop (Windows and macOS only), then click Next.
On the Add device management platform page, select the following options:
For this Select
Certificate Authority Use Okta as Certificate Authority.
SCEP URL challenge type Dynamic SCEP URL and verify that Generic is selected.
Click Generate.
Copy and save the following values:
- SCEP URL
- Challenge URL
- Username
- Password
To reveal the password, click Show password . Save the Password in a safe place. This is the only time that it appears in the Admin Console. These values are required in Jamf Pro.
Click Save.

For this	Select
Certificate Authority	Use Okta as Certificate Authority.
SCEP URL challenge type	Dynamic SCEP URL and verify that Generic is selected.

Task 2: Create a dynamic SCEP profile in Jamf Pro

The SCEP profile specifies settings that allow a device to get certificates from a Certificate Authority (CA) using the Simple Certificate Enrollment Protocol (SCEP). You can use any device management solution that supports SCEP to configure the profile. Because Okta has tested the deployment of SCEP profiles using Jamf Pro, the following steps illustrate how to create the profile using Jamf Pro.

Okta as a CA doesn't support renewal requests. Instead, redistribute the profile before the certificate expires to replace the expired certificate. Configure all MDM SCEP policies to allow for profile redistribution.

To create the SCEP profile in Jamf Pro.

In Jamf Pro, go to Computers Configuration Profiles.
Click New.

On the General page, enter the following information:

For this	Do this
Name	Enter a name for the profile.
Description	Optional. Enter a description of the profile.
Level	Select the appropriate level for the certificate. Okta Verify uses this certificate to identify managed devices and managed users. To ensure that all users of the device are managed, you should select Computer Level. If you only want specific users of a device to be identified as managed, you should select User Level.

Click SCEP, and then click Configure.

For the SCEP profile, enter the following information:

For this	Do this
URL	Paste the SCEP URL that you saved in Task 1.
Name	Enter a name for the SCEP profile.
Redistribute Profile	Choose a time frame for the profile to be redistributed when its SCEP-issused certificate is the specified number of days from expiring. Okta doesn't support automatic certificate renewal. The profile must be redistributed to replace the expired certificate.
Subject	Enter an appropriate subject name. For example, if you selected Computer Level, set the subject to indicate the device name: CN=$COMPUTERNAME managementAttestation $UDID If you selected User Level, set the subject name to indicate a user: CN=$EMAIL managementAttestation $UDID Okta does not require the subject name to be in any particular format. Choose a name that indicates that the certificate is used as the device management signal to Okta. As a best practice, you can also include profile variables provided by Jamf Pro to include the device ID (UDID) and user identifier. For a list of supported variables, see Jamf Pro document Payload Variables for Computer Configuration Profiles.
Challenge Type	Select Dynamic-Microsoft CA.
URL To SCEP Admin	Enter the challenge URL that you saved in Task 1.
Username	Enter the username that you saved in Task 1.
Password	Enter the password that you saved in Task 1.
Verify Password	Re-enter the password that you saved in Task 1.
Key Size	Select 2048.
Use as digital signature	Select this option.
Allow export from keychain	Clear this option. It is good security practice to mark the certificate as non-exportable.
Allow all apps access	Select this option.

Click Save.

Task 3: Configure targets for the SCEP profile in Jamf Pro

If you are using Jamf Pro to manage the device, the next step is to configure the targets that the profile will be deployed to.

To configure targets in Jamf Pro:

In Jamf Pro, go to Computers Configuration Profiles.
Select the SCEP configuration profile name that you created in Task 2: Create a dynamic SCEP profile in Jamf Pro.
Click Scope.
Click Edit.
Click Add.
Select a deployment target, and then click Add. Repeat this step for all required targets.
Click Save.

Task 4: Verify that the Okta CA was installed on your devices

On a macOS device that is managed by Jamf Pro, go to System Preference Profiles.
Open Keychain Login.
Verify that a client certificate and associated private key exists.

Next steps

Add an authentication policy rule for desktop