Configure Okta as a CA with static SCEP challenge for macOS using Jamf Pro

Configuring a certificate authority (CA) allows you to issue client certificates to your targeted macOS devices. This topic describes how to create a Simple Certificate Enrollment Protocol (SCEP) profile in Jamf Pro and generate a certificate URL in Okta.

Before you begin

Make sure you have access to the following:

• Okta Admin Console
• Any device management solution that supports the deployment of a SCEP payload. Okta tested with Jamf Pro.

Start this procedure

1. Generate a SCEP URL and secret key
2. Create a static SCEP profile

Generate a SCEP URL and secret key

1. In the Admin Console, go to SecurityDevice integrations.
2. On the Endpoint management tab, click Add platform.
3. Select Desktop (Windows and macOS only), then click Next.
4. On the Add device management platform page, select the following options:
   • Certificate authority: Use Okta as certificate authority
   • SCEP URL challenge type: Static SCEP URL
5. Click Generate.
6. Copy and save the Okta the SCEP URL and the secret key. These values are required in Jamf Pro. Save the SCEP URL and secret key in a safe place. This is the only time they appear in the Okta Admin Console.
7. Click Save.

Create a static SCEP profile

The SCEP profile specifies settings that allow a device to get certificates from a certificate authority (CA) using the Simple Certificate Enrollment Protocol (SCEP). You can use any device management solution that supports SCEP to configure the profile. Because Okta has tested the deployment of SCEP profiles using Jamf Pro, the following steps illustrate how to create the profile using Jamf Pro.

To create the SCEP profile in Jamf Pro:

1. In Jamf Pro, go to ComputersConfiguration Profiles.
2. Click New.
3. On the General page, enter the following information:
   • Name: Enter a name for the profile.
   • Description: Optional. Enter a description of the profile.
   • Level: Select the appropriate level for the certificate. Okta Verify uses this certificate to identify managed devices and managed users. To ensure all users of the device are managed, select Computer Level. If you only want specific users of a device to be identified as managed, select User Level.
4. Click SCEP, then click Configure.
5. For the SCEP profile, enter the following information:
   • URL: Paste the SCEP URL you saved in step 1.
   • Name: Enter a name for the SCEP profile.
   • Redistribute Profile: Chose a timeframe to redistribute the profile when its SCEP-issued certificate is the specified number of days from expiring. Okta doesn't support automatic certificate renewal. The profile must be redistributed to replace the expired certificate.
   • Subject: Enter an appropriate subject name. For example, if you selected Computer Level, set the subject name to indicate the device name: CN=$COMPUTERNAME managementAttestation $UDID.

     If you selected User Level, set the subject name to indicate a user: CN=$EMAIL managementAttestation $UDID.

     Okta doesn't require any particular format for the subject name. Choose a name that indicates that the certificate is used as the device management signal to Okta. As a best practice, you can also include profile variables provided by Jamf Pro to include the device ID (UDID) and user identifier. For a list of supported variables, see Jamf Pro document Payload Variables for Computer Configuration Profiles.

   • Challenge Type: Select Static.
   • Challenge: Paste the secret key you saved in step 1.
   • Verify Challenge: Paste the secret key again.
   • Key Size: Select 2048.
   • Use as digital signature: Select this option.
   • Allow export from keychain: Clear this option.
   • Allow all apps access: Select this option.
6. Click Save.

Next steps

Add an authentication policy rule for desktop