Configure Okta as a CA with dynamic SCEP challenge for macOS using Jamf Pro

Configure a Certificate Authority (CA), so you can issue client certificates to your targeted macOS devices. This procedure describes how to generate a Simple Certificate Enrollment Protocol (SCEP) URL in Okta and create a dynamic Simple Certificate Enrollment Protocol (SCEP) profile using Jamf Pro.

Before you begin

Make sure you have access to the following:

  • Certificates deployed for digital signature, but not for other purposes (for example, encryption)
  • Okta Admin Console
  • Jamf Pro dashboard

If you're using AirWatch, use static SCEP. AirWatch has known issues with dynamic SCEP.

Start this procedure

Task 1: Generate a SCEP URL

  1. In the Admin Console, go to Security Device integrations.
  2. On the Endpoint management tab, click Add platform.
  3. Select Desktop (Windows and macOS only), then click Next.
  4. On the Add device management platform page, select the following options:
    For thisSelect
    Certificate AuthorityUse Okta as Certificate Authority.
    SCEP URL challenge typeDynamic SCEP URL and verify that Generic is selected.
  5. Click Generate.
  6. Copy and save the following values:
    • SCEP URL
    • Challenge URL
    • Username
    • Password

    To reveal the password, click Show password Show password icon . Save the Password in a safe place. This is the only time that it appears in the Admin Console. These values are required in Jamf Pro.

  7. Click Save.

Task 2: Create a dynamic SCEP profile in Jamf Pro

The SCEP profile specifies settings that allow a device to get certificates from a Certificate Authority (CA) using the Simple Certificate Enrollment Protocol (SCEP). You can use any device management solution that supports SCEP to configure the profile. Because Okta has tested the deployment of SCEP profiles using Jamf Pro, the following steps illustrate how to create the profile using Jamf Pro.

Okta as a CA doesn't support renewal requests. Instead, redistribute the profile before the certificate expires to replace the expired certificate. All MDM SCEP policies should be configured to allow for profile redistribution.

To create the SCEP profile in Jamf Pro.

  1. In Jamf Pro, go to Computers Configuration Profiles.
  2. Click New.
  3. On the General page, enter the following information:
    For thisDo this
    NameEnter a name for the profile.
    DescriptionOptional. Enter a description of the profile.
    LevelSelect the appropriate level for the certificate. Okta Verify uses this certificate to identify managed devices and managed users. To ensure that all users of the device are managed, you should select Computer Level.

    If you only want specific users of a device to be identified as managed, you should select User Level.

  4. Click SCEP, and then click Configure.
  5. For the SCEP profile, enter the following information:
    For thisDo this
    URLPaste the SCEP URL that you saved in Task 1.
    NameEnter a name for the SCEP profile.
    Redistribute ProfileChoose a time frame for the profile to be redistributed when its SCEP-issused certificate is the specified number of days from expiring.

    Okta doesn't support automatic certificate renewal. The profile must be redistributed to replace the expired certificate.

    SubjectEnter an appropriate subject name. For example, if you selected Computer Level, set the subject to indicate the device name: CN=$COMPUTERNAME managementAttestation $UDID

    If you selected User Level, set the subject name to indicate a user: CN=$EMAIL managementAttestation $UDID

    Okta does not require the subject name to be in any particular format. Choose a name that indicates that the certificate is used as the device management signal to Okta. As a best practice, you can also include profile variables provided by Jamf Pro to include the device ID (UDID) and user identifier. For a list of supported variables, see Jamf Pro document Payload Variables for Computer Configuration Profiles.

    Challenge TypeSelect Dynamic-Microsoft CA.
    URL To SCEP AdminEnter the challenge URL that you saved in Task 1.
    UsernameEnter the username that you saved in Task 1.
    PasswordEnter the password that you saved in Task 1.
    Verify PasswordRe-enter the password that you saved in Task 1.
    Key SizeSelect 2048.
    Use as digital signatureSelect this option.
    Allow export from keychainClear this option. It is good security practice to mark the certificate as non-exportable.
    Allow all apps accessSelect this option.
  6. Click Save.

Task 3: Configure targets for the SCEP profile in Jamf Pro

If you are using Jamf Pro to manage the device, the next step is to configure the targets that the profile will be deployed to.

To configure targets in Jamf Pro.

  1. In Jamf Pro, go to Computers Configuration Profiles.
  2. Select the SCEP configuration profile name that you created in Task 2: Create a dynamic SCEP profile in Jamf Pro.
  3. Click Scope.
  4. Click Edit.
  5. Click Add.
  6. Select a deployment target, and then click Add. Repeat this step for all required targets.
  7. Click Save.

Task 4: Verify that the Okta CA was installed on your devices

  1. On a macOS device that is managed by Jamf Pro, go to System Preference Profiles.
  2. Open Keychain Login.
  3. Verify that a client certificate and associated private key exists.

Next steps

Add an authentication policy rule for desktop