Configure Okta as a CA with dynamic SCEP challenge for macOS using Jamf Pro
Configure a Certificate Authority (CA), so you can issue client certificates to your targeted macOS devices. This procedure describes how to generate a Simple Certificate Enrollment Protocol (SCEP) URL in Okta and create a dynamic Simple Certificate Enrollment Protocol (SCEP) profile using Jamf Pro.
Before you begin
Make sure you have access to the following:
- Certificates deployed for digital signature, but not for other purposes (for example, encryption)
- Okta Admin Console
- Jamf Pro dashboard
If you're using AirWatch, use static SCEP. AirWatch has known issues with dynamic SCEP.
Start this procedure
- Task 1: Generate a SCEP URL
- Task 2: Create a dynamic SCEP profile in Jamf Pro
- Task 3: Configure targets for the SCEP profile in Jamf Pro
- Task 4: Verify that the Okta CA was installed on your devices
- In the Admin Console, go to .
- On the Endpoint management tab, click Add platform.
- Select Desktop (Windows and macOS only), then click Next.
- On the Add device management platform page, select the following options:
For this Select Certificate Authority Use Okta as Certificate Authority. SCEP URL challenge type Dynamic SCEP URL and verify that Generic is selected.
- Click Generate.
- Copy and save the following values:
- SCEP URL
- Challenge URL
To reveal the password, click Show password . Save the Password in a safe place. This is the only time that it appears in the Admin Console. These values are required in Jamf Pro.
- Click Save.
The SCEP profile specifies settings that allow a device to get certificates from a Certificate Authority (CA) using the Simple Certificate Enrollment Protocol (SCEP). You can use any device management solution that supports SCEP to configure the profile. Because Okta has tested the deployment of SCEP profiles using Jamf Pro, the following steps illustrate how to create the profile using Jamf Pro.
Okta as a CA doesn't support renewal requests. Instead, redistribute the profile before the certificate expires to replace the expired certificate. All MDM SCEP policies should be configured to allow for profile redistribution.
To create the SCEP profile in Jamf Pro.
- In Jamf Pro, go to .
- Click New.
- On the General page, enter the following information:
For this Do this Name Enter a name for the profile. Description Optional. Enter a description of the profile. Level Select the appropriate level for the certificate. Okta Verify uses this certificate to identify managed devices and managed users. To ensure that all users of the device are managed, you should select Computer Level.
If you only want specific users of a device to be identified as managed, you should select User Level.
- Click SCEP, and then click Configure.
- For the SCEP profile, enter the following information:
For this Do this URL Paste the SCEP URL that you saved in Task 1. Name Enter a name for the SCEP profile. Redistribute Profile Choose a time frame for the profile to be redistributed when its SCEP-issused certificate is the specified number of days from expiring.
Okta doesn't support automatic certificate renewal. The profile must be redistributed to replace the expired certificate.
Subject Enter an appropriate subject name. For example, if you selected Computer Level, set the subject to indicate the device name: CN=$COMPUTERNAME managementAttestation $UDID
If you selected User Level, set the subject name to indicate a user: CN=$EMAIL managementAttestation $UDID
Okta does not require the subject name to be in any particular format. Choose a name that indicates that the certificate is used as the device management signal to Okta. As a best practice, you can also include profile variables provided by Jamf Pro to include the device ID (UDID) and user identifier. For a list of supported variables, see Jamf Pro document Payload Variables for Computer Configuration Profiles.
Challenge Type Select Dynamic-Microsoft CA. URL To SCEP Admin Enter the challenge URL that you saved in Task 1. Username Enter the username that you saved in Task 1. Password Enter the password that you saved in Task 1. Verify Password Re-enter the password that you saved in Task 1. Key Size Select 2048. Use as digital signature Select this option. Allow export from keychain Clear this option. It is good security practice to mark the certificate as non-exportable. Allow all apps access Select this option.
- Click Save.
If you are using Jamf Pro to manage the device, the next step is to configure the targets that the profile will be deployed to.
To configure targets in Jamf Pro.
- In Jamf Pro, go to .
- Select the SCEP configuration profile name that you created in Task 2: Create a dynamic SCEP profile in Jamf Pro.
- Click Scope.
- Click Edit.
- Click Add.
- Select a deployment target, and then click Add. Repeat this step for all required targets.
- Click Save.
- On a macOS device that is managed by Jamf Pro, go to .
- Open .
- Verify that a client certificate and associated private key exists.