Deploy Okta Verify to iOS devices with Microsoft Endpoint Manager

You can deploy Okta Verify to iOS devices using Microsoft Endpoint Manager (MEM).

Microsoft Endpoint Manager is a solution platform that unifies several Microsoft services. It includes Microsoft Intune (for cloud-based device management), Configuration Manager (for on premises device management), Co-management, Endpoint Analytics, Azure Active Directory, Windows Autopilot, and the Microsoft Endpoint Manager admin center.

You can use this procedure if you're using any of these services, for example, Microsoft Intune.

• Task 1: Get an Apple MDM push certificate for MEM
• Task 2: Enroll your iOS devices with your MEM
• Task 3: Push Okta Verify to iOS devices from the Apple App Store
• Task 4: Create an app configuration policy for iOS devices
• Task 5: Configure seamless SSO for iOS devices with MEM

Task 1: Get an Apple MDM push certificate for MEM

Complete the Microsoft procedure to get an Apple MDM push certificate.

See Get an Apple MDM Push certificate.

Task 2: Enroll your iOS devices with your MEM

Complete the Microsoft procedure to enroll iOS devices in Microsoft Intune.

See Enroll iOS and iPadOS devices in Microsoft Intune.

Task 3: Push Okta Verify to iOS devices from the Apple App Store

1. In the Microsoft Endpoint Manager admin center, go to Apps.

2. Click All apps.

3. Click Create.

4. In the Select app type pane, select iOS store app.

5. Click Select.

6. Click Search the App Store.

7. Enter Okta Verify in the search field.

8. Click Okta Verify to select it from the list.

9. Click Select.

10. On the Add App page App information tab, enter the following information:

    • Name: Enter a name for the app, for example, iOS Okta Verify.

    • Description: Enter a description for the app.

    • Publisher: Enter Okta, Inc.

    • Minimum operating system: If this field isn't automatically populated, enter the minimum required operating system on which the app can be installed.

    • Applicable device type: If this field isn't automatically populated, select the device types that can use the app.

    You can configure other settings that aren't listed here, but these fields are required.

11. Click Next.

12. On the Add App page Assignments tab, assign the app to your relevant groups.

13. Click Next.

14. On the Add App page, under the Review + create tab, review the app information, and click Create.

Task 4: Create an app configuration policy for iOS devices

1. In the Microsoft Endpoint Manager admin center, go to Apps.

2. Go to Manage appsConfiguration.

3. Click + Create and select Managed devices.

4. On the Create app configuration policy page, under the Basics tab, enter the following information:

   • Name: Enter a name for the policy.

   • Description: Enter an optional description for the app configuration.

   • Platform: Select iOS/iPadOS.

   • Targeted app: Click Select app, click the Okta Verify iOS app that you added in Task 3, and then click OK.

5. Click Next.

6. On the Create app configuration policy page, under the Settings tab, enter the following information:

   • Configuration settings format: Select Use configuration designer.

   • Enter the following values for the XML property list:

     • Configuration key: managementHint

     • Value type: String

     • Configuration value: Enter the secret key that you obtained from the Okta Admin Console.

       See Configure Device Management for mobile devices.

7. Click Next.

8. On the Create app configuration policy page, under the Assignments tab, assign the app to groups. Click Next.

9. On the Create app configuration policy page, under the Review + create tab, review the app configuration, and click Create.

Task 5: Configure seamless SSO for iOS devices with MEM

You can configure seamless SSO so that end users don't see more Okta Verify browser prompts when they sign in. Instead, Okta Verify silently signs in the user or prompts the user for Touch ID when they access an org or app.

Before you begin, ensure that Safari is the default browser on the managed device.

For Workspace ONE instructions, see Configure an SSO extension on iOS devices.

Procedure

1. In the Microsoft Endpoint Manager admin center, go to Devices.

2. Under the Manage devices by platform tab, click iOS/iPadOS.

3. Go to Manage devicesConfiguration.

4. Click + Create and select New Policy.

5. On the Create a profile page, enter the following information:

   • Platform: Select iOS/iPadOS.

   • Profile type: Select Templates and then select Device features.

6. Click Create.

7. On the Device features page Basics tab, enter the following information:

   • Name: Enter a name for the profile, for example, iOS seamless SSO

   • Description: Enter an optional description for the profile.

8. Click Next.

9. On the Device features page, under the Configuration settings tab, expand the Single sign-on app extension section. Enter the following information:

   • SSO app extension type: Select Credential.

   • Extension ID: Enter com.okta.mobile.auth-service-extension

   • Team ID: Optional. Enter the 10-character team identifier of your SSO app extension generated by Apple.

   • Realm: Enter Okta Device

   • Domains: Enter your Okta org domain, without the protocol scheme.

     For example, enter yourdomain.example.com not https://yourdomain.example.com

   • Additional configuration: Enter the following:

     • Key: Enter managementHint

     • Type: Select String.

     • Value: Enter the secret key that you obtained from the Okta Admin Console.

       See Configure Device Management for mobile devices.

10. Click Next.

11. On the Device features page, under the Assignments tab, assign the device features to groups. Click Next.

12. On the Device features page, under the Review + create tab, review the configuration, and then click Create.

You can confirm that the SSO profile was successfully installed on an iOS device. Go to SettingsGeneralVPN & Device Management and confirm that the SSO profile is listed.