Configure Okta as a CA with static SCEP challenge for macOS with Jamf Pro

Configuring a Certificate Authority (CA) allows you to issue client certificates to your targeted macOS devices. This topic describes how to generate a Simple Certificate Enrollment Protocol (SCEP) URL in Okta and create a static SCEP profile using Jamf Pro.

Before you begin

Make sure that you have access to the following:

• Okta Admin Console

• Any device management solution that supports the deployment of a SCEP payload. This procedure was tested with Jamf Pro.

Start this procedure

1. Generate a SCEP URL and secret key

2. Create a static SCEP profile

Generate a SCEP URL and secret key

1. In the Admin Console, go to SecurityDevice integrations.

2. On the Endpoint management tab, click Add platform.

3. Select Desktop (Windows and macOS only), then click Next.

4. On the Add device management platform page, select the following options:

   • Certificate authority: Use Okta as certificate authority

   • SCEP URL challenge type: Static SCEP URL

5. Click Generate.

6. Copy and save the SCEP URL and the secret key in a safe place. This is the only time that they appear in the Okta Admin Console. These values are required in Jamf Pro.

7. Click Save.

Create a static SCEP profile

The SCEP profile specifies settings that allow a device to get certificates from a Certificate Authority (CA) using the Simple Certificate Enrollment Protocol (SCEP). You can use any device management solution that supports SCEP to configure the profile. As Okta tested the deployment of SCEP profiles using Jamf Pro, the following steps illustrate how to create the profile using Jamf Pro.

To create the SCEP profile in Jamf Pro:

1. In Jamf Pro, go to ComputersConfiguration Profiles.

2. Click New.

3. On the General page, enter the following information:

   • Name: Enter a name for the profile.

   • Description: Optional. Enter a description of the profile.

   • Level: Select the appropriate level for the certificate. Okta Verify uses this certificate to identify managed devices and managed users. To ensure all users of the device are managed, select Computer Level. If you only want specific users of a device to be identified as managed, select User Level.

4. Click SCEP, then click Configure.

5. For the SCEP profile, enter the following information:

   • URL: Paste the SCEP URL that you saved in step 1.

   • Name: Enter a name for the SCEP profile.

   • Redistribute Profile: Choose a time frame to redistribute the profile when its SCEP-issued certificate is the specified number of days from expiring. Okta doesn't support automatic certificate renewal. Redistribute the profile to replace the expired certificate.

   • Subject: Enter a name to identify the certificate.

     This field has a 64-character limit.

     Jamf Pro automatically adds a $PROFILE_IDENTIFIER when redistributing profiles, which counts towards the 64-character limit. Exceeding this limit causes profile redistribution and certificate renewal to fail.

     Okta has no specific format requirements for the Subject field. You can use this field to indicate the certificate's purpose as a device management signal for Okta, optionally including Jamf Pro variables like $UDID or $EMAIL.

     Examples (ma denotes management attestation):

     • Computer Level: CN=$COMPUTERNAME ma $UDID

     • User Level: CN=$EMAIL ma $UDID

     Always test your SCEP configurations in a non-production environment to ensure certificates are issued and renewed successfully.

   • Challenge Type: Select Static.

   • Challenge: Paste the secret key that you saved in step 1.

   • Verify Challenge: Paste the secret key again.

   • Key Size: Select 2048.

   • Use as digital signature: Select this option.

   • Allow export from keychain: Clear this option.

   • Allow all apps access: Select this option.

6. Click Save.

Next steps

Add an authentication policy rule for desktop