Enable phishing-resistant authentication for Universal Windows Platform apps

When users access Microsoft Universal Windows Platform (UWP) and Office 365 apps, you must run a script to enable phishing-resistant authentication.

Background

To maintain network isolation, UWP apps disable loopback connections for Inter-Process Communication (IPC) by default. However, Okta uses a loopback connection for communications between the authenticating app and Okta Verify. This is a phishing-resistant mechanism to prompt for authentication.

To ensure that Okta Verify works as intended with UWP apps, you need to provide a loopback exemption through a PowerShell script. See Enabling loopback for a UWP application.

Enable the exemption

Run the script from an elevated Windows PowerShell:

Click the Windows Start button.
Type PowerShell to find the Windows PowerShell app. Right-click the app, and select Run as administrator.

You can also run the script through your device management solution.

Copy the following script into the Windows PowerShell window and execute the script.

Copy

$packageFolder = [System.Environment]::GetEnvironmentVariable("LOCALAPPDATA") + "\packages"
$packages = Get-ChildItem -Path $packageFolder | Where-Object { ($_.Name -Match "Microsoft.AAD.BrokerPlugin") -or ($_.Name -Match "AuthHost") }  | select -expand Name

foreach ($package in $packages)
{    
  Write-Host "Creating loopback exemption for" $package    
  $command = "CheckNetIsolation.exe LoopbackExempt -a -n=" + $package     
  cmd.exe /c $command
}

Revert the exemption

You can revert the loopback exemption to its default behavior with the following script.

As before, you need to run the script from an elevated Windows PowerShell:

Click the Windows Start button.
Type PowerShell to find the Windows PowerShell app. Right-click the app, and select Run as administrator.

You can also run the script through your device management solution.