Configure Okta as a CA with dynamic SCEP challenge for macOS using Jamf Pro

Configure a Certificate Authority (CA), so you can issue client certificates to your targeted macOS devices. This procedure describes how to generate a SCEP URL in Okta and create a dynamic simple certificate enrollment protocol (SCEP) profile in Jamf Pro.

Before you begin

Make sure you have access to the following:

  • Certificates deployed for digital signature, but not for other purposes (for example, encryption)
  • Okta Admin Console
  • Jamf Pro admin console

Start this procedure

Task 1: Configure management attestation and generate a SCEP URL

  1. In the Okta Admin Console, go to Security > Device Integrations.
  2. Click the Endpoint Management tab.
  3. Click Add Platform.

    If you add more than one configuration for the same type of platform, see Known Issues.

  4. Select Desktop (Windows and macOS only).
  5. Click Next.
  6. On the Add Device Management Platform page, enter the following:
    1. Certificate authority: Select Use Okta as certificate authority.
    2. SCEP URL challenge type: Select Dynamic SCEP URL, and then click Generic.
    3. Click Generate.
    4. SCEP URL: Copy and save the value. You require this value for Task 2.
    5. Challenge URL: Copy and save the value. You require this value for Task 2.
    6. Username: Copy and save the value. You require this value for Task 2.
    7. Password: To reveal the password, click Show password Show password icon . Copy and save the value. You require this value for Task 2.
    8. Save the Password in a safe place. This is the only time it will appear in the Okta Admin Console.

  7. Click Save.

Task 2: Create a dynamic SCEP profile in Jamf Pro

You can use any Device Management solution that supports pushing the Apple SCEP MDM payload. This procedure assumes you are managing macOS devices with Jamf Pro and configuring a dynamic SCEP profile.

If you're using AirWatch, use static SCEP. AirWatch has known issues with dynamic SCEP.

  1. In Jamf Pro, go to Computers > Configuration Profiles.
  2. Click + New.
  3. Click the Options tab.
  4. Click General.
  5. On the General profile page, enter the following:
    1. Name: Enter a name for the profile.
    2. Description: Optional. Enter a description of the profile.
    3. Level: Select User Level.
  6. Click the SCEP.
  7. Click Configure.
  8. On the SCEP profile page, enter the following:
    1. URL: Enter the SCEP URL you saved during Task 1.
    2. Name: Enter a name for the SCEP profile.
    3. Subject: Enter a subject.

      Okta does not require the subject name to be in any particular format. Choose a name that indicates that the certificate is used as the device management signal to Okta. As a best practice, you can also include profile variables provided by Jamf Pro to include the device ID (UDID). For a list of supported variables, see Jamf Pro document Payload Variables for Computer Configuration Profiles.

    4. Challenge type: Select Dynamic-Microsoft CA.
      • URL To SCEP Admin: Enter the Challenge URL you saved during Task 1.
      • Username: Enter the UserName you saved during Task 1.
      • Password: Enter the Password you saved during Task 1.
      • Verify Password: Enter the Password you saved during Task 1.
    5. Key Size: Select 2048, and then select Use as digital signature.
    6. Allow export from keychain: Leave this unselected. It is good security practice to mark the certificate as non-exportable.
    7. Allow all apps access: Select.
  9. Click Save.
  10. Configure the targets that the profile will be deployed to:
    1. Click Configuration Profiles.
    2. Click the applicable configuration profile name.
    3. Click the Scope tab.
    4. Click Edit.
    5. Click + Add.
    6. Locate the required deployment targets, and then click Add.
  11. Click Save.

Task 3: Verify that the Okta CA was installed on your devices

On a macOS device managed by Jamf Pro, make sure the SCEP profile is installed.

  1. Go to System Preference > Profiles.
  2. Verify that your dynamic SCEP profile is installed.
  3. Open Keychain > Login.
  4. Verify that a client certificate and associated private key exists.

Next steps