Configure Okta as a CA with static SCEP challenge for macOS using Jamf Pro

Configuring a certificate authority (CA) allows you to issue client certificates to your targeted macOS devices. This topic describes how to create a Simple Certificate Enrollment Protocol (SCEP) profile in Jamf Pro and generate a certificate URL in Okta.

While you can use any device management solution that supports the deployment of an Apple SCEP MDM payload, this procedure assumes you are managing devices with Jamf Pro and configuring a static SCEP profile.

Before you begin

Make sure you have access to the following:

  • Okta Admin Console
  • Any device management solution that supports the deployment of a SCEP payload. Okta tested with Jamf Pro.

Start this procedure

Task 1: Generate a SCEP URL and secret key

  1. In the Admin Console, go to Security > Device integrations.
  2. On the Endpoint management tab, click Add platform.
  3. Select Desktop (Windows and macOS only), then click Next.
  4. On the Add device management platform page, select the following options:
  5. For this Select
    Certificate authority Use Okta as certificate authority.
    SCEP URL challenge type Static SCEP URL.
  6. Click Generate.
  7. Copy and save the Okta the SCEP URL and the secret key.

    These values are required in Jamf Pro

    Save the SCEP URL and secret key in a safe place. This is the only time they will appear in the Okta Admin Console.

  8. Click Save.

Task 2: Create a static SCEP profile

The SCEP profile specifies settings that allow a device to get certificates from a certificate authority (CA) using the Simple Certificate Enrollment Protocol (SCEP). You can use any device management solution that supports SCEP to configure the profile. Because Okta has tested the deployment of SCEP profiles using Jamf Pro, the following steps illustrate how to create the profile using Jamf Pro.

To create the SCEP profile in Jamf Pro.

  1. In Jamf Pro, go to Computers > Configuration Profiles.
  2. Click New.
  3. On the General page, enter the following information:
    For thisDo this
    NameEnter a name for the profile.
    DescriptionOptional. Enter a description of the profile.

    Select the appropriate level for the certificate. Okta Verify uses this certificate to identify managed devices and managed users. To ensure all users of the device are managed, you should select Computer Level.

    If you only want specific users of a device to be identified as managed, you should select User Level.

  4. Click SCEP, then click Configure.
  5. For the SCEP profile, enter the following information:
    For thisDo this
    URLPaste the SCEP URL you saved inTask 1
    NameEnter a name for the SCEP profile.

    Enter an appropriate subject name. For example, if you selected Computer Level, set the subject name to indicate the device name: CN=$COMPUTERNAME managementAttestation $UDID

    If you selected User Level, set the subject name to indicate a user: CN=$EMAIL managementAttestation $UDID.

    Okta does not require the subject name to be in any particular format. Choose a name that indicates that the certificate is used as the device management signal to Okta. As a best practice, you can also include profile variables provided by Jamf Pro to include the device ID (UDID) and user identifier. For a list of supported variables, see Jamf Pro document Payload Variables for Computer Configuration Profiles.

    Challenge TypeSelect Static.
    ChallengePaste the secret key you saved in Task 1.
    Verify ChallengePaste the secret key again.
    Key SizeSelect 2048.
    Use as digital signatureSelect this option.
    Allow export from keychainUnselect this option.
    Allow all apps accessSelect this option.
  6. Click Save.

Next steps

Add an authentication policy rule for desktop