Configure Okta as a CA with dynamic SCEP challenge for macOS using Jamf Pro

Configure a certificate authority (CA), so you can issue client certificates to your targeted macOS devices. This procedure describes how to generate a Simple Certificate Enrollment Protocol (SCEP) URL in Okta and create a dynamic Simple Certificate Enrollment Protocol (SCEP) profile using Jamf Pro.

Before you begin

Make sure you have access to the following:

  • Certificates deployed for digital signature, but not for other purposes (for example, encryption).
  • Okta Admin Console.
  • Jamf Pro dashboard.

If you're using AirWatch, use static SCEP. AirWatch has known issues with dynamic SCEP.

Start this procedure

Task 1: Generate a SCEP URL

  1. In the Admin Console, go to Security > Device integrations.
  2. On the Endpoint management tab, click Add platform.
  3. Select Desktop (Windows and macOS only), then click Next.
  4. On the Add device management platform page, select the following options:
    For thisSelect
    Certificate authorityUse Okta as certificate authority.
    SCEP URL challenge typeDynamic SCEP URL and verify that Generic is selected.
  5. Click Generate.
  6. Copy and save the following values:
    • SCEP URL
    • Challenge URL
    • Username
    • Password

    To reveal the password, click Show password Show password icon . Save the Password in a safe place. This is the only time it appears in the Admin Console.

    These values are required in Jamf Pro

  7. Click Save.

Task 2: Create a dynamic SCEP profile in Jamf Pro

The SCEP profile specifies settings that allow a device to get certificates from a certificate authority (CA) using the Simple Certificate Enrollment Protocol (SCEP). You can use any device management solution that supports SCEP to configure the profile. Because Okta has tested the deployment of SCEP profiles using Jamf Pro, the following steps illustrate how to create the profile using Jamf Pro.

To create the SCEP profile in Jamf Pro.

  1. In Jamf Pro, go to Computers > Configuration Profiles.
  2. Click New.
  3. On the General page, enter the following information:
    For thisDo this
    NameEnter a name for the profile.
    DescriptionOptional. Enter a description of the profile.

    Select the appropriate level for the certificate. Okta Verify uses this certificate to identify managed devices and managed users. To ensure all users of the device are managed, you should select Computer Level.

    If you only want specific users of a device to be identified as managed, you should select User Level.

  4. Click SCEP, then click Configure.
  5. For the SCEP profile, enter the following information:
    For thisDo this
    URLPaste the SCEP URL you saved inTask 1
    NameEnter a name for the SCEP profile.

    Enter an appropriate subject name. For example, if you selected Computer Level, set the subject to indicate the device name: CN=$COMPUTERNAME managementAttestation $UDID

    If you selected User Level, set the subject name to indicate a user: CN=$EMAIL managementAttestation $UDID

    Okta does not require the subject name to be in any particular format. Choose a name that indicates that the certificate is used as the device management signal to Okta. As a best practice, you can also include profile variables provided by Jamf Pro to include the device ID (UDID) and user identifier. For a list of supported variables, see Jamf Pro document Payload Variables for Computer Configuration Profiles.

    Challenge TypeSelect Dynamic-Microsoft CA.
    URL To SCEP AdminEnter the challenge URL you saved inTask 1.
    UsernameEnter the username you saved in Task 1.
    PasswordEnter the password you saved in Task 1.
    Verify PasswordRe-enter the password you saved in Task 1.
    Key SizeSelect 2048.
    Use as digital signatureSelect this option.
    Allow export from keychainUnselect this option. It is good security practice to mark the certificate as non-exportable.
    Allow all apps accessSelect this option.
  6. Click Save.

Task 3: Configure targets for the SCEP profile in Jamf Pro

If you are using Jamf Pro to manage the device, the next step is to configure the targets that the profile will be deployed to.

To configure targets in Jamf Pro.

  1. In Jamf Pro, go to Computers > Configuration Profiles.
  2. Select the SCEP configuration profile name that you created in Task 2: Create a dynamic SCEP profile in Jamf Pro.
  3. Click Scope.
  4. Click Edit.
  5. Click Add.
  6. Select a deployment target, and then click Add. Repeat this step for all required targets.
  7. Click Save.

Task 4: Verify that the Okta CA was installed on your devices

  1. On a macOS device that is managed by Jamf Pro, go to System Preference > Profiles.
  2. Open Keychain > Login.
  3. Verify that a client certificate and associated private key exists.

Next steps

Add an authentication policy rule for desktop