Deploy Okta Verify to iOS devices using MEM (formally Intune)

You can deploy Okta Verify to iOS devices using Microsoft Endpoint Manager (MEM).

Microsoft Endpoint Manager (MEM) is a solution platform that unifies several services. It includes Microsoft Intune for cloud-based device management, Configuration Manager for on premises device management, Co-management, Desktop Analytics, Windows Autopilot, Azure Active Directory, Windows Autopilot, and Endpoint Manager admin center. You can use this procedure if you are using any of these services. For example, you can use this procedure if you are using Microsoft Intune.

• Task 1: Get an Apple MDM push certificate for MEM
• Task 2: Enroll your iOS devices with your MEM
• Task 3: Push Okta Verify to iOS devices from the Apple App Store
• Task 4: Create an app configuration policy for iOS devices
• Task 5: Configure seamless SSO for iOS devices using MEM

Task 1: Get an Apple MDM push certificate for MEM

Complete the Microsoft procedure to get an Apple MDM push certificate.

See Get an Apple MDM Push certificate for Intune.

Task 2: Enroll your iOS devices with your MEM

Complete the Microsoft procedure to enroll iOS devices in Intune.

See Enroll iOS devices in Intune using Microsoft Intune.

Task 3: Push Okta Verify to iOS devices from the Apple App Store

1. In the Microsoft Endpoint Manager (MEM) admin center, go to Apps.

2. Click All apps.

3. Click + Add.

4. In the Select app type pane, select iOS store app.

5. Click Select.

6. Click Search the App Store.

7. Enter Okta Verify in the search field.

8. Click Okta Verify, to select it from the list.

9. Click Select.

10. On the Add App page App information tab, enter the following information:

    You can configure additional settings that are not listed, but these are required.

    • Name: Enter a name for the app. For example, iOS Okta Verify.

    • Description: Enter a description for the app.

    • Publisher: Enter Okta, Inc.

    • Minimum operating system: Enter the minimum required operating system on which the app can be installed, if not automatically populated.

    • Applicable device type: Select the device types that can use the app, if not automatically populated.

11. Click Next.

12. On the Add App page Assignments tab, assign the app to groups.

13. Click Next.

14. On the Add App page Review + create tab, review the app information, and then click Create.

Task 4: Create an app configuration policy for iOS devices

1. In the Microsoft Endpoint Manager (MEM) admin center, go to Apps.

2. Click App configuration policies.

3. Click + AddManaged devices.

4. On the Create app configuration policy page Basics tab, enter the following information:

   • Name: Enter a name for the policy.

   • Description: Optional. Enter a description for the app configuration.

   • Platform: Select iOS/iPadOS.

   • Targeted app: Click Select app, click the Okta Verify iOS app that you added in Task 3, and then click OK.

5. Click Next.

6. On the Create app configuration policy page Settings tab, enter the following information:

   • Configuration settings format: Select Use configuration designer.

   • Enter the following values for the XML property list:

     • Configuration key: Enter managementHint

     • Value type: Select String.

     • Configuration value: Enter the secret key you obtained from the OktaAdmin Console.

       See Configure Device Management for mobile devices.

7. Click Next.

8. On the Create app configuration policy page Assignments tab, assign the app to groups.

9. Click Next.

10. On the Create app configuration policy page Review + create tab, review the app configuration, and then click Create.

Task 5: Configure seamless SSO for iOS devices using MEM

You can configure seamless SSO so that end users won't see additional Okta Verify browser prompts when they sign in. Instead, Okta Verify silently signs in the user or prompts the user for Touch ID when they access an org or application.

For Workspace ONE instructions, see Configure an SSO extension on iOS devices.

Before you begin, ensure that the default browser on the managed device is Safari.

1. In the Microsoft Endpoint Manager (MEM) admin center, go to Devices.

2. Click Configuration Profiles.

3. Click + Create profile.

4. On the Create a profile page, enter the following information:

   • Platform: Select iOS/iPadOS.

   • Profile type: Select Device features.

5. Click Create.

6. On the Device features page Basics tab, enter the following information:

   • Name: Enter a name for the profile. For example, iOS seamless SSO

   • Description: Optional. Enter a description for the profile.

7. Click Next.

8. On the Device features page Configuration settings tab, expand Single sign-on app extension, and then enter the following information:

   • SSO app extension type: Select Credential.

   • Extension ID: Enter com.okta.mobile.auth-service-extension

   • Team ID: Optional. Enter the 10-character team identifier of your SSO app extension that was generated by Apple.

   • Realm: Enter Okta Device

   • Domains: Enter your Okta org domain without the protocol scheme.

     For example, enter yourdomain.example.com not https://yourdomain.example.com

   • Additional configuration: Enter the following:

     • Key: Enter managementHint

     • Type: Select String.

     • Value: Enter the secret key you obtained from the OktaAdmin Console.

       See Configure Device Management for mobile devices.

9. Click Next.

10. On the Device features page Assignments tab, assign the device features to groups.

11. Click Next.

12. On the Device features page Review + create tab, review the configuration, and then click Create.

You can confirm that the SSO profile was successfully installed on an iOS device. Go to SettingsGeneralVPN & Device Management and confirm that the SSO profile listed here.