Deploy Okta Verify to iOS devices with Microsoft Intune

You can use this procedure to deploy Okta Verify to iOS devices using Microsoft Intune as your Mobile Device Management (MDM) solution.

• Get an Apple MDM push certificate
• Enroll your iOS devices
• Push Okta Verify to iOS devices
• Create an app configuration policy for iOS devices
• Configure seamless SSO for iOS devices

Get an Apple MDM push certificate

Complete the Microsoft procedure to get an Apple MDM Push certificate.

Enroll your iOS devices

Complete the Microsoft procedure to enroll iOS and iPadOS devices in Microsoft Intune.

Push Okta Verify to iOS devices

1. In the Microsoft Intune admin center, go to Apps.

2. Go to All apps and click Create.

3. In the Select app type pane, select iOS store app.

4. Click Select.

5. Click Search the App Store.

6. Enter Okta Verify in the search field and click Okta Verify to choose it from the list of results.

7. Click Select.

8. On the App information tab of the Add App page, enter the following information:

   • Name: Enter a name for the app, for example, iOS Okta Verify.

   • Description: Enter a description for the app.

   • Publisher: Enter Okta, Inc.

   • Minimum operating system: If this field isn't automatically populated, enter the minimum required operating system on which the app can be installed.

   • Applicable device type: If this field isn't automatically populated, select the device types that can use the app.

   You can configure other settings that aren't listed here, but these fields are required.

9. Click Next.

10. On the Assignments tab of the Add App page, assign the app to your relevant groups. Click Next.

11. On the Review + create tab of the Add App page, review the app information, and click Create.

Create an app configuration policy for iOS devices

1. In the Microsoft Intune admin center, go to Apps.

2. Go to Manage appsConfiguration.

3. Click Create and select Managed devices.

4. Open the Basics tab of the Create app configuration policy page, and enter the following information:

   • Name: Enter a name for the policy.

   • Description: Enter an optional description for the app configuration.

   • Platform: Select iOS/iPadOS.

   • Targeted app: Click Select app. Then select the Okta Verify iOS app that you added in the previous task and click OK.

5. Click Next.

6. Open the Settings tab of the Create app configuration policy page, and enter the following information:

   • Configuration settings format: Select Use configuration designer.

   • Enter the following values for the XML property list:

     • Configuration key: managementHint

     • Value type: String

     • Configuration value: Enter the secret key that you obtained from the Okta Admin Console. See Configure Device Management for mobile devices.

7. Click Next.

8. On the Assignments tab of the Create app configuration policy page, assign the app to the appropriate groups. Click Next.

9. On the Review + create tab of the Create app configuration policy page, review the app configuration.

10. Click Create.

Configure seamless SSO for iOS devices

You can configure seamless SSO so that users don't see additional Okta Verify browser prompts when they sign in. Instead, Okta Verify silently signs in the user or prompts the user for Touch ID when they access an app in your org.

Before you begin, ensure that Safari is the default browser on the managed device.

1. In the Microsoft Intune admin center, go to Devices.

2. Under the Manage devices by platform tab, click iOS/iPadOS.

3. Go to Manage devicesConfiguration.

4. Click Create and select New Policy.

5. On the Create a profile page, enter the following information:

   • Platform: Select iOS/iPadOS.

   • Profile type: Select Templates and then select Device features.

6. Click Create.

7. On the Basics tab of the Device features page, enter the following information:

   • Name: Enter a name for the profile, for example, iOS seamless SSO

   • Description: Enter an optional description for the profile.

8. Click Next.

9. Open the Configuration settings tab of the Device features page and expand the Single sign-on app extension section. Enter the following information:

   • SSO app extension type: Select Credential.

   • Extension ID: Enter com.okta.mobile.auth-service-extension

   • Team ID: Optional. Enter the 10-character team identifier of your SSO app extension generated by Apple.

   • Realm: Enter Okta Device

   • Domains: Enter your Okta org domain, without the protocol prefix. For example, instead of https://yourdomain.example.com, enter yourdomain.example.com

   • Additional configuration: Enter the following:

     • Key: Enter managementHint

     • Type: Select String

     • Value: Enter the secret key that you obtained from the Okta Admin Console. See Configure Device Management for mobile devices.

10. Click Next.

11. On the Assignments tab of the Device features page, assign the device features to the appropriate groups. Click Next.

12. On the Review + create tab of the Device features page, review the configuration.

13. Click Create.

You can confirm that the SSO profile installed successfully on an iOS device. Go to SettingsGeneralVPN & Device Management and confirm that the SSO profile is listed.