Configure advanced posture checks for device assurance

Early Access release. See Enable self-service features.

To enable this feature, turn on Advanced posture checks.

With Advanced posture checks, you define and implement custom device assurance conditions that aren't available in standard device assurance policies. This feature ensures that all macOS devices meet your unique security standards before accessing corporate resources.

Before you begin

Ensure that these requirements are met:
- macOS version 14.4 or later
- Users must have Okta Verify 9.39.0 on their devices.
To get started with osquery, you require a basic level of proficiency. AI assistants can help you write and modify queries. Review these resources:

Enable custom device check on user devices

First, use your device management solution (MDM) to enable custom posture checks on macOS devices. Okta Verify then collects the custom checks from the devices and applies the device assurance rules to ensure compliance.

To enable custom osquery checks, use your MDM to deploy Okta Verify with a plist file that includes the configuration properties.

Push app configuration change to Okta Verify by using your MDM. See Deploy Okta Verify to macOS devices.
Append the following keys to the corresponding Okta Verify configuration. See Okta Verify configurations for macOS devices.
- OktaVerify.EnableOSQueryCustomChecks
- OktaVerify.OSQueryAllowedDomains

Enable osquery in Okta

In the Admin Console, go to SecurityDevice integrations.
On the Endpoint security tab, click Add endpoint integration, and select osquery.
Select the platform, and save.

Create a custom check

In the Admin Console, go to SecurityAdvanced posture checks.
On the Custom checks tab, click Add custom check.
Configure your posture check.
1. Enter a name and description.
2. Assign a variable to identify this posture check when you configure your device assurance policies.
3. Select macOS.
4. Write your query using standard SQL format. The query must return 1 (pass) or 0 (fail). It must end with a semi-colon.
  Copy
```
SELECT
  CASE
    WHEN global_state = 0 THEN 0
    ELSE 1
  END AS firewall_enabled
FROM
  alf;
```
  Validate and test your queries in a Preview environment before you deploy them to Production. On a device where Advanced Posture Checks have been enabled, run this command from the terminal prompt:
  Copy
```
/Applications/Okta\ Verify.app/Contents/XPCServices/OSQueryService.xpc/Contents/Resources/osqueryd --S --json "YOUR QUERY"
```
  The result of your query must return only one entry in the JSON object. The previous sample query returns this output:
  Copy
```
[
    {"firewall_enabled": "1"}
]
```
Optional. Configure the remediation instructions to display in the browser if the device posture evaluation fails. You can perform the configuration as you're writing your custom checks or later. See Configure custom remediation instructions for device assurance.
Click Save posture check.

Add the custom check to a device assurance policy

Add a device assurance policy or Edit a device assurance policy.
Configure your options for your macOS devices.
In the Custom posture check section, search and select one or more posture checks from the dropdown menu.
Select Enabled to confirm which checks to add to the policy.
Click Save.

Add the device assurance policy to an authentication policy

Follow the steps in Add device assurance to an authentication policy.
For the Device assurance policy is condition, select the device assurance policy that includes the custom checks.