Configure Okta as a CA with dynamic SCEP challenge for macOS using Jamf Pro
Configure a Certificate Authority (CA), so you can issue client certificates to your targeted macOS devices. This procedure describes how to generate a SCEP URL in Okta and create a dynamic simple certificate enrollment protocol (SCEP) profile in Jamf Pro.
Before you begin
Make sure you have access to the following:
- Certificates deployed for digital signature, but not for other purposes (for example, encryption)
- Okta Admin Console
- Jamf Pro admin console
Start this procedure
- Task 1: Configure management attestation and generate a SCEP URL
- Task 2: Create a dynamic SCEP profile in Jamf Pro
- Task 3: Verify that the Okta CA was installed on your devices
- In the Okta Admin Console, go to Security > Device Integrations.
- Click the Endpoint Management tab.
- Click Add Platform.
If you add more than one configuration for the same type of platform, see Known Issues.
- Select Desktop (Windows and macOS only).
- Click Next.
- On the Add Device Management Platform page, enter the following:
- Certificate authority: Select Use Okta as certificate authority.
- SCEP URL challenge type: Select Dynamic SCEP URL, and then click Generic.
- Click Generate.
- SCEP URL: Copy and save the value. You require this value for Task 2.
- Challenge URL: Copy and save the value. You require this value for Task 2.
- Username: Copy and save the value. You require this value for Task 2.
- Password: To reveal the password, click Show password . Copy and save the value. You require this value for Task 2.
Save the Password in a safe place. This is the only time it will appear in the Okta Admin Console.
- Click Save.
You can use any Device Management solution that supports pushing the Apple SCEP MDM payload. This procedure assumes you are managing macOS devices with Jamf Pro and configuring a dynamic SCEP profile.
If you're using AirWatch, use static SCEP. AirWatch has known issues with dynamic SCEP.
- In Jamf Pro, go to Computers > Configuration Profiles.
- Click + New.
- Click the Options tab.
- Click General.
- On the General profile page, enter the following:
- Name: Enter a name for the profile.
- Description: Optional. Enter a description of the profile.
- Level: Select User Level.
- Click the SCEP.
- Click Configure.
- On the SCEP profile page, enter the following:
- URL: Enter the SCEP URL you saved during Task 1.
- Name: Enter a name for the SCEP profile.
- Subject: Enter a subject.
Okta does not require the subject name to be in any particular format. Choose a name that indicates that the certificate is used as the device management signal to Okta. As a best practice, you can also include profile variables provided by Jamf Pro to include the device ID (UDID). For a list of supported variables, see Jamf Pro document Payload Variables for Computer Configuration Profiles.
- Challenge type: Select Dynamic-Microsoft CA.
- Key Size: Select 2048, and then select Use as digital signature.
- Allow export from keychain: Leave this unselected. It is good security practice to mark the certificate as non-exportable.
- Allow all apps access: Select.
- Click Save.
- Configure the targets that the profile will be deployed to:
- Click Configuration Profiles.
- Click the applicable configuration profile name.
- Click the Scope tab.
- Click Edit.
- Click + Add.
- Locate the required deployment targets, and then click Add.
- Click Save.
On a macOS device managed by Jamf Pro, make sure the SCEP profile is installed.
- Go to System Preference > Profiles.
- Verify that your dynamic SCEP profile is installed.
- Open Keychain > Login.
- Verify that a client certificate and associated private key exists.