Configure Okta as a CA with dynamic SCEP challenge for macOS with Jamf Pro

Configuring a Certificate Authority (CA) allows you to issue client certificates to your targeted macOS devices.

Purpose

Management attestation certificate

Platform

macOS

MDM

Jamf Pro

SCEP URL

Dynamic

If you're configuring SCEP for Okta Device Access or Desktop Password Sync, see Device Access certificates.

Before you begin

Make sure that you have access to the following:

  • Certificates that are deployed for digital signature, but not for other purposes (for example, encryption)

  • Okta Admin Console

  • Jamf Pro dashboard

Procedure

  1. Generate a SCEP URL in Okta

  2. Create a dynamic SCEP profile in Jamf Pro

  3. Configure deployment targets for the SCEP profile in Jamf Pro

  4. Verify that the Okta CA was installed on your devices

Generate a SCEP URL

  1. In the Admin Console, go to SecurityDevice integrations.

  2. On the Endpoint management tab, click Add platform.

  3. Select Desktop (Windows and macOS only), then click Next.

  4. On the Add device management platform page, select the following options:

    • Certificate Authority: Use Okta as Certificate Authority

    • SCEP URL challenge type: Dynamic SCEP URL and Generic

  5. Click Generate.

  6. Copy and save the following values in a secure location:

    • SCEP URL

    • Challenge URL

    • Username

    • Password

      This is the only time that you can retrieve the password in the Admin Console. To see the password in plain text, click the show password icon Open eye icon that reveals the saved password when clicked..

      If you need to reset the password, click Reset password in the Actions menu on the Device Access page.

  7. Click Save.

Create a dynamic SCEP profile in Jamf Pro

The SCEP profile specifies settings that allow a device to get certificates from a CA using the Simple Certificate Enrollment Protocol.

Okta as a CA doesn't support renewal requests. Instead, redistribute the profile before the certificate expires to replace the expired certificate.

Configure all MDM SCEP policies to allow for profile redistribution.

To create the SCEP profile in Jamf Pro.

  1. In Jamf Pro, go to ComputersConfiguration Profiles.

  2. Click New.

  3. On the General page, enter the following information:

    For this Do this
    Name Enter a name for the profile.
    Description Optional. Enter a description of the profile.
    Level

    Select the appropriate level for the certificate:

    • To ensure that all users of the device are managed, select Computer Level.

    • If you only want specific users of a device to be identified as managed, select User Level.

    Okta Verify uses this certificate to identify managed devices and managed users for Device Access.

  4. Click SCEP, and then click Configure.

  5. For the SCEP profile, enter the following information:

    URL

    Paste the SCEP URL that you saved in the first task.

    Name

    Enter a name for the SCEP profile.

    Redistribute Profile

    Choose a time frame for the profile to be redistributed when its SCEP-issued certificate is the specified number of days from expiring.

    Okta doesn't support automatic certificate renewal. Redistribute the profile to replace an expiring certificate.

    Subject

    Enter a name to identify the certificate.

    This field has a 64-character limit.

    Jamf Pro automatically adds a $PROFILE_IDENTIFIER when redistributing profiles, which counts towards the 64-character limit. Exceeding this limit causes profile redistribution and certificate renewal to fail.

    Okta has no specific format requirements for this field. You can use this field to indicate the certificate's purpose as a device management signal for Okta, optionally including Jamf Pro variables like $UDID or $EMAIL. For example:

    • Computer Level: CN=$COMPUTERNAME ma $UDID

    • User Level: CN=$EMAIL ma $UDID

    (ma signifies management attestation)

    Always test your SCEP configurations in a non-production environment to ensure certificates are issued and renewed successfully.

    Challenge Type

    Select Dynamic-Microsoft CA.

    URL To SCEP Admin

    Enter the challenge URL that you saved in the first task.

    Username

    Enter the username that you saved in the first task.

    Password

    Enter the password that you saved in the first task.

    Verify Password

    Re-enter the password that you saved in the first task.

    Key Size

    Select 2048.

    Use as digital signature

    Select this option.

    Allow export from keychain

    Clear this option. It's a good security practice to mark the certificate as non-exportable.

    Allow all apps access

    Select this option.

  6. Click Save.

Configure targets for the SCEP profile in Jamf Pro

If you're using Jamf Pro to manage the device, the next step is to configure the deployment targets for the SCEP profile.

  1. In Jamf Pro, go to ComputersConfiguration Profiles.

  2. Select the SCEP configuration profile that you created in Task 2.

  3. Click Scope.

  4. Click Edit.

  5. Click Add.

  6. Select a deployment target, and then click Add. Repeat this step for all required targets.

  7. Click Save.

Verify that the Okta CA was installed on your devices

  1. On a macOS device managed by Jamf Pro, go to System SettingsPrivacy and SecurityProfiles.

  2. Open KeychainLogin.

  3. Confirm that you have both the client certificate and the associated private key.

Next steps

Add an app sign-in policy rule for desktop