Configure Okta as a CA with static SCEP challenge for macOS using Jamf Pro
Configuring a certificate authority (CA) allows you to issue client certificates to your targeted macOS devices. This topic describes how to create a Simple Certificate Enrollment Protocol (SCEP) profile in Jamf Pro and generate a certificate URL in Okta.
While you can use any device management solution that supports the deployment of an Apple SCEP MDM payload, this procedure assumes you are managing devices with Jamf Pro and configuring a static SCEP profile.
Before you begin
Make sure you have access to the following:
- Okta Admin Console
- Any device management solution that supports the deployment of a SCEP payload. Okta tested with Jamf Pro.
Start this procedure
Task 1: Generate a SCEP URL and secret key
- In the Admin Console, go to Security > Device integrations.
- On the Endpoint management tab, click Add platform.
- Select Desktop (Windows and macOS only), then click Next.
- On the Add device management platform page, select the following options:
- Click Generate.
- Copy and save the Okta the SCEP URL and the secret key.
These values are required in Jamf Pro
Save the SCEP URL and secret key in a safe place. This is the only time they will appear in the Okta Admin Console.
- Click Save.
| For this | Select |
|---|---|
| Certificate authority | Use Okta as certificate authority. |
| SCEP URL challenge type | Static SCEP URL. |
Task 2: Create a static SCEP profile
The SCEP profile specifies settings that allow a device to get certificates from a certificate authority (CA) using the Simple Certificate Enrollment Protocol (SCEP). You can use any device management solution that supports SCEP to configure the profile. Because Okta has tested the deployment of SCEP profiles using Jamf Pro, the following steps illustrate how to create the profile using Jamf Pro.
To create the SCEP profile in Jamf Pro.
- In Jamf Pro, go to Computers > Configuration Profiles.
- Click New.
- On the General page, enter the following information:
For this Do this Name Enter a name for the profile. Description Optional. Enter a description of the profile. Level Select the appropriate level for the certificate. Okta Verify uses this certificate to identify managed devices and managed users. To ensure all users of the device are managed, you should select Computer Level.
If you only want specific users of a device to be identified as managed, you should select User Level.
- Click SCEP, then click Configure.
- For the SCEP profile, enter the following information:
For this Do this URL Paste the SCEP URL you saved inTask 1 Name Enter a name for the SCEP profile. Subject Enter an appropriate subject name. For example, if you selected Computer Level, set the subject name to indicate the device name: CN=$COMPUTERNAME managementAttestation $UDID
If you selected User Level, set the subject name to indicate a user: CN=$EMAIL managementAttestation $UDID.
Okta does not require the subject name to be in any particular format. Choose a name that indicates that the certificate is used as the device management signal to Okta. As a best practice, you can also include profile variables provided by Jamf Pro to include the device ID (UDID) and user identifier. For a list of supported variables, see Jamf Pro document Payload Variables for Computer Configuration Profiles.
Challenge Type Select Static. Challenge Paste the secret key you saved in Task 1. Verify Challenge Paste the secret key again. Key Size Select 2048. Use as digital signature Select this option. Allow export from keychain Unselect this option. Allow all apps access Select this option. - Click Save.