Configure Device Trust on desktop devices

Learn how to deploy Device Trust on macOS and Windows computers.

Okta and your EMM solution must be configured before you create app-level policies that leverage Device Trust.

Note: If you use Device Trust to enable a password experience (Okta FastPass) for macOS users, Apple Extensible SSO must be configured in your EMM solution. See Configure Extensible SSO for Safari and native apps on managed macOS devices.

Choose a certificate authority

Windows and macOS device management requires a certificate authority (CA) that can issue client certificates to targeted devices. Device Trust uses these client certificates to determine whether devices are managed or not. Application sign-on policies grant or deny access to an application or prompt for more authentication factors based on the device state.

You can use Okta as a CA or use your own existing CA if you already have one in place.

Provide your own certificate authority for Device Context

If you use your own certificate authority (CA), your environment requires a PKI infrastructure integrated with your EMM solution to distribute Okta-provided client certificates to targeted devices. In addition to distributing certificates, your EMM software renews certificates before they expire and revokes certificates from your EMM server and managed devices when devices are no longer managed.

In addition to devices managed by your existing EMM solution, Okta can manage devices that have a certificate deployed by an existing Active Directory Certificate Services (ADCS) infrastructure. In this case, the device must have a certificate deployed from the same CA that is set up in Okta.

Start this procedure

Task 1: Configure the SCEP Payload

Task 2: In Okta, configure management attestation and upload your certificate

Task 1: Configure the SCEP Payload

Make sure SCEP profiles are targeted at the USER level, not the DEVICE level. This ensures that the certificate is deployed to the login keychain and accessible to Okta Verify. Your SCEP policy requires a user context. Multiple users can use the same device, but only if each user is from a separate org. The enrolled user must be managed by your EMM solution and possess a certificate.

Configure the SCEP payload using these settings:

Key Type Value
KeyUsage Integer Set to signing so Okta Verify can sign the nonce sent from the Okta server.
AllowAllAppAccess Boolean Set to true so Okta Verify can sign requests without prompting users to sign in. Otherwise, users are prompted to allow Okta Verify to access the key.
KeysExtractable Boolean Set to false so that it cannot be copied to another device easily.

Task 2: In Okta, configure management attestation and upload your certificate

  1. In the Admin Console, go to Security > Device integrations.
  2. On the Endpoint Management page, click Add platform.
  3. Select Desktop (Windows and macOS only) and click Next.
  4. Select Use my own certificate authority for the Certificate authority and click Save.
  5. Click Save.
  6. On the Certificate authority page, click Add certificate authority.
  7. In the Add certificate authority dialog box, browse to the Intermediate CA that will be used to issue the client certificate. If you have multiple such issuers, upload all of them one at a time.
    • Note: Okta doesn't support PKCS#7, PKCS#12, or PFX certificate formats.
    • Certificates are uploaded automatically. A message appears if uploads are successful. To view details, click View root certificate chain details.
  8. Click Close.

Use Okta as a CA

EMM solutions use the Simple Certificate Enrollment Protocol (SCEP) to issue certificates to managed devices. When configuring Okta as a CA, you can set the SCEP challenge type to Static, Dynamic, or Delegated. Some EMM solutions (such as Jamf Pro) support multiple challenge types, while others support only one. Before you configure Okta as a CA, determine what challenge type your EMM app supports or recommends.

Use static SCEP challenge with Jamf Pro on macOS devices

  1. Configure management attestation and generate a SCEP URL
  2. Create a static SCEP profile

Configure management attestation and generate a SCEP URL and Secret Key

Note: This procedure applies to any EMM solution that supports pushing the Apple SCEP EMM payload.

  1. In the Okta Admin Console, go to Security > Device integrations.
  2. On the Endpoint management page, click Add platform.

    Note: If you add more than one configuration for the same type of platform, see this Known Issue.

  3. Select Desktop (Windows and macOS only) and click Next.
  4. On the Add device management platform page, configure these settings:
    1. Certificate authority: Select Use Okta as certificate authority.
    2. SCEP URL challenge type: Select Static SCEP URL.
    3. Click Generate.
    4. SCEP URL: Copy and save the value. You will need this value later.
    5. Secret key: Copy and save the value. You will need this value later
    6. Note: Save the SCEP URL and Secret key in a safe place. This is the only time they appear in the Okta Admin Console.

  5. Click Save.

Create a static SCEP profile

  1. In Jamf Pro, go to Computers > Configuration Profiles.
  2. Click + New.
  3. Go to Options > General.
  4. On the General profile page, enter these values::
    1. Name: Enter a name for the profile.
    2. Description: Optional. Enter a description of the profile.
    3. Level: Select User Level.
  5. Go to Options > SCEP.
  6. Click Configure.
  7. On the SCEP profile page, enter the following values:
    1. URL: Enter the SCEP URL you saved in step 6b above.
    2. Name: Enter a name for the SCEP profile.
    3. Subject: Enter a subject.

      Choose a name that indicates that the certificate is used as the device management signal to Okta. As a best practice, you can also include profile variables provided by Jamf Pro to include the device ID (UDID). For a list of supported variables, see Jamf Pro document Payload Variables for ComputerConfiguration Profiles.

    4. Challenge type: Static.
    5. Challenge: Copy and paste the secret key you generated in step 6e.
    6. Verify Challenge: Copy and paste the Secret key again.
    7. Key Size: select 2048.
    8. Use as digital signature: Select this option.
    9. Allow export from keychain: Leave this option clear.
    10. Allow all apps access: Select this option.
    11. Click Save.

Use dynamic SCEP challenge with Jamf Pro on macOS devices

  1. Configure management attestation and generate a SCEP URL
  2. Create a dynamic SCEP profile in Jamf Pro
  3. Verify that the Okta CA was installed on your devices

Configure management attestation and generate a SCEP URL

Note: This procedure applies to any EMM solution that supports pushing the Apple SCEP EMM payload.

  1. In the Okta Admin Console, go to Security > Device integrations.
  2. On the Endpoint management page, click Add platform.

    Note: If you add more than one configuration for the same type of platform, see this Known Issue.

  3. Select Desktop (Windows and macOS only) and click Next.
  4. Click Next.
  5. On the Add Device Management Platform page, configure these settings:
    1. Certificate authority: Select Use Okta as certificate authority.
    2. SCEP URL challenge type: Select Static SCEP URL and click Generic.
    3. Click Generate.
    4. SCEP URL: Copy and save the value. You will need this value later.
    5. Challenge URL: Copy and save the value. You will need this value later.
    6. Username: Copy and save the value. You will need this value later.
    7. Password: To reveal the password, click Show password.Copy and save the value. You will need this value later.

      Note: Save the Password in a safe place. This is the only time it appears in the Okta Admin Console.

  6. Click Save.
    1.  

Create a dynamic SCEP profile in Jamf Pro

  1. In Jamf Pro, go to Computers > Configuration Profiles.
  2. Click + New.
  3. Go to Options > General.
  4. On the General profile page, enter the following information:
    1. Name: Enter a name for the profile.
    2. Description: Optional. Enter a description of the profile.
    3. Level: Select User Level.
  5. Go to Options > SCEP.
  6. Click Configure.
  7. On the SCEP profile page, enter the following information:
    1. URL: Enter the SCEP URL you saved in step 6b above.
    2. Name: Enter a name for the SCEP profile.
    3. Subject: Enter a subject.

      Okta recommends choosing a name that indicates that the certificate is used as the device management signal to Okta. As a best practice, you can also include profile variables provided by Jamf Pro to include the device ID (UDID). For a list of supported variables, see Jamf Pro document Payload Variables for Computer Configuration Profiles.

    4. Challenge type: Select Dynamic-Microsoft CA.
      1. URL To SCEP Admin: Enter the Challenge URL you saved in step 6b above.
      2. Username: Enter the UserName you saved in step 6f above.
      3. Password: Enter the passwordyou saved in Step 6g above.
      4. Verify Password: Re-enter the Password you saved.
    5. Key Size: Select 2048 and select Use as digital signature.
    6. Allow export from keychain: Leave this unselected. It is good security practice to mark the certificate as non-exportable.
    7. Allow all apps access: Select this option.
  8. Click Save.
  9. Configure the targets that the profile will be deployed to:
    1. Click Configuration Profiles.
    2. Click the applicable configuration profile name.
    3. Click the Scope tab.
    4. Click Edit.
    5. Click + Add.
    6. Locate the required deployment targets, and then click Add.
  10. Click Save.

Verify that the Okta CA was installed on your devices

On a macOS device managed by Jamf Pro, make sure the SCEP profile is installed.

  1. Go to System Preference > Profiles.
  2. Verify that your dynamic SCEP profile is installed.
  3. Open Keychain > Login.
  4. Verify that a client certificate and associated private key exists.

Configure Okta as a CA for Windows using Workspace ONE

  1. In Okta, download the x509 certificate
  2. In Okta, configure management attestation, generate a SCEP URL and a Secret Key
  3. In Workspace ONE, create a static SCEP profile
  4. In Workspace ONE, Add/Edit a Certificate Template
  5. In Workspace ONE, define a device profile to deploy the Okta Intermediate CA to the Intermediate Store on devices
  6. In Workspace ONE, define a user profile to deploy the Okta CA-issued client certificate to the Personal Store on devices for management attestation
  7. On a Windows computer, verify the certificate installation

In Okta, download the x509 certificate

The x509 certificate you download from Okta is the Organization Intermediate certificate.

  1. In the Okta Admin Console, go to Security > Device integrations > Certificate authority.
  2. For the Okta CA Certificate Authority, click the Download x509 certificate icon in the Actions column.

You will upload the certificate to Workspace ONE later.

In Okta, configure management attestation, generate a SCEP URL and a Secret Key

  1. In the Okta Admin Console, go to Security > Device integrations.
  2. On the Endpoint management page, click Add platform.

    Note: If you add more than one configuration for the same type of platform, see this Known Issue.

  3. Select Desktop (Windows and macOS only) and click Next.
  4. On the Add device management platform page, configure these settings:
    1. Select Use Okta as certificate authority as the Certificate authority.
    2. Select Static SCEP URL as the SCEP challenge type.
    3. Click Generate.
    4. Copy and save the Okta SCEP URL and the Secret key. You will paste these in Workspace ONE in the Create a static SCEP profilephase.Note: Save the SCEP URL and Secret Key in a safe place. This is the only time they appear in the Okta Admin Console.
  5. Click Save.

In Workspace ONE, create a static SCEP profile

  1. Sign in to Workspace ONE as an administrator.
  2. In Workspace ONE, click DEVICES (left ribbon bar).
  3. Click Certificates > Certificate Authorities.
  4. Click + ADD.
  5. On the Certificate Authority -Add/Edit page, enter the following values:
    1. Name: Enter a name for the CA.
    2. Description: Optional. Enter a description for the CA.
    3. Authority type: Select Generic SCEP.
    4. SCEP Provider: Basic is entered automatically and can't be changed.
    5. SCEP URL: Copy and paste the SCEP URL you generated in step 6b above.
    6. Challenge Type: Click STATIC.
    7. Static Challenge: Copy and paste the Secret Key you generated in step 6d above.
    8. Confirm Challenge Phrase: Copy and paste the Secret Key you generated in step 6d above.
    9. Retry Timeout: Accept the default value of 30.
    10. Max Retries When Pending: Accept the default value of 5, or specify a different number of retries the system allows while the authority is pending.
    11. Enable Proxy: Accept the default value of DISABLED or select ENABLED if appropriate for your environment. If you select Enabled, Workspace ONE UEM acts as a proxy between the device and the SCEP endpoint defined in the CA configuration.
  6. Click TEST CONNECTION. If you select SAVE before TEST CONNECTION, the Test is unsuccessful error appears.
  7. After the Test is successful message appears, click SAVE AND ADD TEMPLATE. If the test doesn't succeed, ensure that you can access the Okta SCEP URL generated in step 6b above from Workspace ONE UEM.

In Workspace ONE, Add/Edit a Certificate Template

  1. In Workspace ONE, click the Request Templates tab.
  2. Click + ADD.
  3. On the Certificate Template -Add/Edit page, enter the following values:
    1. Name: Enter a name for the template.
    2. Description: Optional. Enter a description for the template.
    3. Certificate Authority: Select the CA you created in Step 3.
    4. Issuing Template: Leave blank or configure as appropriate for your implementation.
    5. Subject Name: Enter CN = {EmailUserName} managementAttestation{DeviceUid}.
    6. Private Key Length: Select 2048.
    7. Private Key Type: Select Signing.
    8. SAN Type: N/A.
    9. Automatic Certificate Renewal: Click DISABLED
    10. Publish Private Key: Click DISABLED.

In Workspace ONE, define a device profile to deploy the Okta Intermediate CA to the Intermediate Store on devices

  1. In Workspace ONE, click RESOURCES (left ribbon bar).
  2. Click Profiles & Baselines > Profiles.
  3. Click ADD, and then select Add Profile.
  4. Select Windows > Windows Desktop > Device Profile.
  5. On the General page, enter the following information:
    1. Name: Enter a name for the device profile.
    2. Description: Optional. Enter a description for the device profile.
    3. Deployment: Select Managed.
    4. Assignment Type: Accept the default or configure as appropriate for your implementation.
    5. Allow Removal: Accept the default or configure as appropriate for your implementation.
    6. Managed By: Enter the person or group with administrative access to the profile.
    7. Smart Groups: Begin typing the name of the group and then select it from the list.
    8. Exclusions: You can exclude groups from the profile. Accept the default or configure as appropriate for your implementation.
    9. Additional Assignment Criteria: You can schedule a deployment schedule.
    10. Removal Date: You can specify when the profile is removed from the device.
  6. Click Credentials in the left pane.
  7. Click CONFIGURE.
  8. On the Credentials page, enter the following information:
    1. Credential Source: Select Upload.
    2. Certificate: Click Upload and browse to the certificate you downloaded in Step 1.
    3. Key Location: Accept the default or configure as appropriate for your implementation.
    4. Certificate Store: Select Intermediate.
  9. Click SAVE AND PUBLISH.

In Workspace ONE, define a user profile to deploy the Okta CA-issued client certificate to the Personal Store on devices for management attestation

This step creates the management payload that pushes the client certificate information and credential to the client, allowing the client to connect to Okta and request a new client certificate. The client certificate is used for management attestation in Okta Verify-enabled flows.

  1. In Workspace ONE, click RESOURCES (left ribbon bar).
  2. Click Profiles & Baselines > Profiles.
  3. Click ADD, and then select Add Profile.
  4. Select Windows > Windows Desktop > User Profile.
  5. On the General page, enter the following:
    1. Name: Enter a name for the user profile.
    2. Description: Optional. Enter a description for the user profile.
    3. Deployment: Select Managed.
    4. Assignment Type: Select Auto.
    5. Allow Removal: Select Always.
    6. Managed By: Optional. Enter additional admin names.
    7. Smart Groups: Enter the same group(s) you specified in step 5g above.
    8. Exclusions: You can exclude groups from the profile. Accept the default or configure as appropriate for your implementation.
    9. Additional Assignment Criteria: You can schedule a deployment.
    10. Removal Date: You can specify when the profile is removed from the device.
  6. Click Credentials in the left pane.
  7. Click CONFIGURE.
  8. On the Credentials page, enter the following information:
    1. Credential Source: Select Defined Certificate Authority.
    2. Certificate Authority: Select the same Certificate Authority that you configured previously.
    3. Key Location: Select TPM If Present to support devices with or without TPM.
    4. Certificate Store: Select Personal.
  9. Click SAVE AND PUBLISH.

On a Windows computer, verify the certificate installation

  1. Verify that the client certificate was installed:
    1. On the Windows computer, click Start, and then type cert.
    2. Click Manage user certificates.
    3. In Certificates - Current User, click Personal > Certificates.
    4. Make sure the client certificate exists.
  2. Verify the certificate authority (CA):
    1. In Certificates - Local Computer, click Intermediate Certificate Authority > Certificates.
    2. In the Issued To column, find Organization Intermediate Authority.
    3. Make sure the Issued By column specifies Organization Root Authority for

Organization Intermediate Authority.

Configure Okta as a CA for Windows using Microsoft Intune

Download the x509 certificate from Okta

  1. In the Okta Admin Console, go to Security > Device Integrations > Certificate Authority.
  2. In the Actions column, click the Download x509 certificate icon.

    You will upload the certificate to Microsoft Endpoint Configuration Manager (MECM) later.

Create a Trusted Certificate profile in MECM

  1. In Microsoft Endpoint Configuration Manager (MECM), go to Devices.
  2. Click Configuration profiles.
  3. Click + Create profile.
  4. In Create a profile, select these values:
    • Platform: Select Windows 10 and later.
    • Profile: Select Trusted certificate.
  5. Click Create.
  6. Follow the steps in the Trusted CertificateWizard:
    1. Enter a name and (optionally) a description.
    2. Click Next.
    3. Select the x509 certificate that you downloaded from Okta in step 3.
    4. In the Destination store, select Computer certificate store - Intermediate.
    5. Click Next.
    6. Assign the trusted certificate profile to one or more user groups.

      Note: the user group(s) must be the same as the group(s) you will assign the SCEP profile to in Create a SCEP profile in MECM.

    7. Click Next.
    8. Set Applicability Rules.
    9. Click Next.
    10. Review the configuration, and then click Create.

Register the AAD app credentials for Okta in Microsoft Azure

  1. In Microsoft Azure, click App registrations.
  2. Click + New registration.
  3. On the Register an application page, enter the following information:
    1. Name: Enter a meaningful name for the application. Make a note of this for later use.
    2. Supported account types: Select the appropriate, supported account type. Okta tested with Accounts in this organizational directory only ([Your_Tenant_Name] only - Single tenant) selected.
    3. Redirect URI (optional): Leave blank or select Web. Then enter a redirect URI.
  4. Click Register.
  5. On the app page under Essentials, copy and make a note of the Application (client) ID.

    You will paste this value in the Okta Admin Console later.

  6. Add a client secret:
    1. In the left pane, click Certificates & secrets.
    2. Under Client secrets, click + New client secret.
    3. In the Add a client secret section, enter the following information:
      • Description: Optional. Enter a description of the client secret.
      • Expires: Select an expiration time.
    4. Click Add.

      The secret appears under Client secrets.

    5. In the Client secrets section, copy and make a note of the Value.
  7. Set Intune scep_challenge_provider permissions:
    1. In the left pane, click API permissions.
    2. Click + Add a permission.
    3. In the Request API permissions section, scroll down and then click Intune.
    4. Under What type of permissions does your application require? click Application permissions.
    5. In the Select permissions search field, enter scep, and select the scep_challenge_provider checkbox.
    6. Click Add permissions.
    7. In the Configured permissions section, click Grant admin consent for [Your_Tenant_Name].
    8. Click Yes in the message that appears.
  8. Set Microsoft Graph Application.Read.All permissions:
    1. Click + Add a permission.
    2. In the Request API permissions section, click Microsoft Graph.
    3. Under What type of permissions does your application require? click Application permissions.
    4. In the Select permissions search field, enter application, expand Application, and then select the Application.Read.All checkbox.
    5. Click Add permissions.
    6. In the Configured permissions section, click Grant admin consent for [Your_Tenant_Name].
    7. Click Yes in the message that appears.
  9. Set Azure Active Directory Graph Application.Read.All permissions:

    Note: Microsoft Azure portal no longer supports Azure Active Directory Graph. As a workaround, use a PowerShell script to set the Azure Active Directory Graph Application.Read.All permissions.

    1. Create and run a PowerShell script that sets the Azure Active Directory Graph Application.Read.All permissions. See the PowerShell resources: 
    2. Go to the Microsoft Azure portal and verify the Azure Active Directory Graph Application.Read.All permission is assigned to the application in the API permission blade.

Configure management attestation and generate a SCEP URL in Okta

  1. In the Admin Console, go to Security > Device Integrations.
  2. On the Endpoint Management page, click Add Platform.

    Note: If you add more than one configuration for the same type of platform, see this Known Issue.

  3. Select Desktop (Windows and macOS only) and click Next.
  4. Configure the following settings:
    1. Certificate authority: Select Use Okta as certificate authority.
    2. SCEP URL challenge type: Select Delegated SCEP URL (Microsoft Intune only).
    3. Enter the values that you copied from Microsoft Azure into the following fields:
      • AAD client ID: Enter the value you copied from step 5 above.
      • AAD tenant: Enter your AAD tenant name followed by .onMicrosoft.com.
      • AAD secret: Enter the value you copied from step 6e of above.
  5. Click Generate.
  6. Copy and save the Okta SCEP URL. You will paste the URL in Microsoft Endpoint Configuration Manager later.

Create a SCEP profile in MECM

  1. In Microsoft Endpoint Configuration Manager (MECM), go to Devices.
  2. Click Configuration profiles.
  3. Click + Create profile.
  4. In Create a profile, enter the following:
    1. Platform: Windows 10 or later
    2. Profile: SCEP certificate
    3. Click Create.
  5. In the SCEP Certificate Wizard, enter a name and (optionally) a description.
  6. Click Next.
  7. Enter the following information:
    1. Certificate type: User
    2. Subject name format (recommended; other formats will also work): CN={{UserPrincipalName}} ManagementAttestation {{AAD_Device_ID}}
    3. Key storage provider: Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP
    4. Key usage: Digital signature.
    5. Key length: 2048.
    6. Hash algorithm: Select SHA-2.
  8. Click + Root Certificate.
  9. In the Root Certificate pane, select the trusted certificate that you created earlier in Step 2, and then click OK.
  10. Under Extended key usage, set Predefined values to Client Authentication.
  11. Copy the SCEP URL you generated in Step 8 above and paste it into the SCEP Server URLs field.
  12. Click Next.
  13. Assign the SCEP certificate to the same user group(s) to which you assigned the Trusted certificate profile in step 5f above.
  14. Click Next.
  15. Set Applicability Rules.
  16. Click Next.
  17. Review the configuration, and then click Create.

Verify the certificate installation on a Windows computer

  1. Verify the client certificate installation:
    1. On the Windows computer, click Start and type cert and then click Manage user certificates.
    2. Look in Personal > Certificates.
  2. Verify the certificate authority:
    1. On the Windows computer, click Start and type cert and then click Manage user certificates.
    2. Look in Intermediate Certificate Authority > Certificates.
    3. In Issued To, find and double-click Organization Intermediate Authority.
    4. See Issuer: Organization Root Authority.
  3. Verify successful SCEP certificate installation and flow:
    1. On the Windows computer, click Start, type Event, and then click Event Viewer.
    2. Look in Applications and Service Logs > Microsoft > Windows > DeviceManagement-Enterprise > Admin.
    3. In the General tab, find:
      • SCEP: Certificate installed successfully.
      • SCEP: Certificate request generated successfully